Merge pull request #944 from microsoft/users/shaopeng-gh/wix

* NEW: Add XML configuration option `IncludeWixBinaries` to include Wix binaries in the analysis.

ReleaseHistory.md

@@ -29,6 +29,8 @@
 * BUG: Fix `--trace` missing supported values from SARIF SDK (`ScanTime`, `RuleScanTime`, `PeakWorkingSet`, `TargetsScanned`, `ResultsSummary`). [896](https://github.com/microsoft/binskim/pull/896)
 * BUG: Temporarily restore command-line option `--hashes` and `--statistics` as obsolete for compatibility reasons. Please do not use them as they will be removed in future releases. [945](https://github.com/microsoft/binskim/pull/945)
 * NEW: `BA2024.EnableSpectreMitigations` now informs user when a compiland `RawCommandLine` value is missing and the rule is therefore not able to determine if `/Qspectre` is specified. [#933](https://github.com/microsoft/binskim/pull/933)
+* NEW: Add `IncludeWixBinaries` option when using config file, to include Wix binaries in the analysis. [#944](https://github.com/microsoft/binskim/pull/944)
+* NEW: Support `SymbolPath`, `LocalSymbolDirectories`, `IgnorePdbLoadError` option when using config file, in addtion to passing as command line parameters. [#944](https://github.com/microsoft/binskim/pull/944)
 
 ## **v4.1.0**
 * DEP: Update Sarif.Sdk submodule from [120fae3 to bc8cb57](https://github.com/microsoft/sarif-sdk/compare/120fae3...bc8cb57). Full [SARIF SDK Release History](https://github.com/microsoft/sarif-sdk/blob/bc8cb57/ReleaseHistory.md).

docs/FunctionalTestBuildScripts.md

@@ -218,3 +218,8 @@ The Visual Studio 2022 "empty console application" template, compiled as Debug|x
 ## Sha256SignedUntrustedRoot.exe
 
 The Visual Studio 2022 default executable template, in project property signing tab enable sign the assembly with a test certificate with sha256RSA.
+
+## Wix_4.0.1_VS2022_Bundle.exe
+
+The Visual Studio 2022 "Wix Bundle" template, with one "Wix MSI package" that combines a default C# helloworld console app and a default C++ helloworld console app.
+The default C++ helloworld console app itself will trigger BinSkim rules. Currently BinSkim does not scan files inside the package and the bundle file itself will pass BinSkim rules.

src/BinSkim.Driver/AnalyzeOptions.cs

@@ -51,7 +51,7 @@ public class AnalyzeOptions : AnalyzeOptionsBase
         [Option(
             "ignorePdbLoadError",
             HelpText = "If enabled, BinSkim won't break if we have a 'PdbLoadingException'.")]
-        public bool IgnorePdbLoadError { get; set; }
+        public bool? IgnorePdbLoadError { get; set; }
 
         [Option(
             's',

src/BinSkim.Driver/MultithreadedAnalyzeCommand.cs

@@ -68,9 +68,9 @@ public override BinaryAnalyzerContext InitializeGlobalContextFromOptions(Analyze
             base.InitializeGlobalContextFromOptions(options, ref context);
 
             // Update context object based on command-line parameters.
-            context.SymbolPath = options.SymbolsPath;
-            context.IgnorePdbLoadError = options.IgnorePdbLoadError;
-            context.LocalSymbolDirectories = options.LocalSymbolDirectories;
+            context.SymbolPath = options.SymbolsPath ?? context.SymbolPath;
+            context.IgnorePdbLoadError = options.IgnorePdbLoadError != null ? options.IgnorePdbLoadError.Value : context.IgnorePdbLoadError;
+            context.LocalSymbolDirectories = options.LocalSymbolDirectories ?? context.LocalSymbolDirectories;
             context.TracePdbLoads = options.Trace.Contains(nameof(Traces.PdbLoad));
 
             context.CompilerDataLogger =
@@ -101,6 +101,7 @@ protected override BinaryAnalyzerContext CreateScanTargetContext(BinaryAnalyzerC
 
             scanTargetContext.CompilerDataLogger = context.CompilerDataLogger;
             scanTargetContext.SymbolPath = context.SymbolPath;
+            scanTargetContext.IncludeWixBinaries = context.IncludeWixBinaries;
             scanTargetContext.IgnorePdbLoadError = context.IgnorePdbLoadError;
             scanTargetContext.LocalSymbolDirectories = context.LocalSymbolDirectories;
             scanTargetContext.TracePdbLoads = context.TracePdbLoads;

src/BinSkim.Rules/PERules/BA2001.LoadImagesAboveFourGigabyteAddress.cs

@@ -44,7 +44,7 @@ public class LoadImageAboveFourGigabyteAddress : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2002.DoNotIncorporateVulnerableDependencies.cs

@@ -77,7 +77,7 @@ public override void Initialize(BinaryAnalyzerContext context)
             return;
         }
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs

@@ -41,7 +41,7 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp
             nameof(RuleResources.NotApplicable_InvalidMetadata)
         };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             reasonForNotAnalyzing = null;
             return AnalysisApplicability.ApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2005.DoNotShipVulnerableBinaries.cs

@@ -72,7 +72,7 @@ private static StringToVersionMap BuildDefaultVulnerableBinariesMap()
         //       Between one and unlimited times, as many times as possible, giving back as needed (greedy) «+»
         private static readonly Regex s_versionRegex = new Regex(@"\d+(\.\d+){0,3}", RegexOptions.Compiled | RegexOptions.CultureInvariant | RegexOptions.ExplicitCapture);
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             reasonForNotAnalyzing = "";
             return AnalysisApplicability.ApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2006.BuildWithSecureTools.cs

@@ -90,7 +90,7 @@ public override void Initialize(BinaryAnalyzerContext context)
             return;
         }
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2007.EnableCriticalCompilerWarnings.cs

@@ -64,7 +64,7 @@ public IEnumerable<IOption> GetOptions()
             new PerLanguageOption<IntegerSet>(
                 AnalyzerName, nameof(RequiredCompilerWarnings), defaultValue: () => BuildRequiredCompilerWarningsSet());
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2008.EnableControlFlowGuard.cs

@@ -65,7 +65,7 @@ public IEnumerable<IOption> GetOptions()
         public const uint IMAGE_GUARD_CF_CHECKS =
             IMAGE_GUARD_CF_INSTRUMENTED | IMAGE_GUARD_CF_FUNCTION_TABLE_PRESENT;
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;
@@ -85,7 +85,7 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper
             reasonForNotAnalyzing = MetadataConditions.ImageIsBootBinary;
             if (portableExecutable.IsBoot) { return result; }
 
-            Version minimumRequiredLinkerVersion = policy.GetProperty(MinimumRequiredLinkerVersion);
+            Version minimumRequiredLinkerVersion = context.Policy.GetProperty(MinimumRequiredLinkerVersion);
 
             if (portableExecutable.LinkerVersion < minimumRequiredLinkerVersion)
             {
@@ -98,7 +98,7 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper
             }
 
             reasonForNotAnalyzing = MetadataConditions.ImageIsWixBinary;
-            if (portableExecutable.IsWixBinary) { return result; }
+            if (!context.IncludeWixBinaries && portableExecutable.IsWixBinary) { return result; }
 
             reasonForNotAnalyzing = null;
             return AnalysisApplicability.ApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2009.EnableAddressSpaceLayoutRandomization.cs

@@ -42,7 +42,7 @@ public class EnableAddressSpaceLayoutRandomization : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2010.DoNotMarkImportsSectionAsExecutable.cs

@@ -40,7 +40,7 @@ public class DoNotMarkImportsSectionAsExecutable : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2011.EnableStackProtection.cs

@@ -40,7 +40,7 @@ public class EnableStackProtection : WindowsBinaryAndPdbSkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             return StackProtectionUtilities.CommonCanAnalyze(target, out reasonForNotAnalyzing);
         }

src/BinSkim.Rules/PERules/BA2012.DoNotModifyStackProtectionCookie.cs

@@ -51,7 +51,7 @@ public class DoNotModifyStackProtectionCookie : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             return StackProtectionUtilities.CommonCanAnalyze(target, out reasonForNotAnalyzing);
         }

src/BinSkim.Rules/PERules/BA2013.InitializeStackProtection.cs

@@ -45,7 +45,7 @@ public class InitializeStackProtection : WindowsBinaryAndPdbSkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             return StackProtectionUtilities.CommonCanAnalyze(target, out reasonForNotAnalyzing);
         }

src/BinSkim.Rules/PERules/BA2014.DoNotDisableStackProtectionForFunctions.cs

@@ -68,7 +68,7 @@ private static StringSet BuildApprovedFunctionsStringSet()
             new PerLanguageOption<StringSet>(
                 AnalyzerName, nameof(StringSet), defaultValue: () => BuildApprovedFunctionsStringSet());
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             AnalysisApplicability applicability = StackProtectionUtilities.CommonCanAnalyze(target, out reasonForNotAnalyzing);
 

src/BinSkim.Rules/PERules/BA2015.EnableHighEntropyVirtualAddresses.cs

@@ -41,7 +41,7 @@ public class EnableHighEntropyVirtualAddresses : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2016.MarkImageAsNXCompatible.cs

@@ -42,7 +42,7 @@ public class MarkImageAsNXCompatible : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2018.EnableSafeSEH.cs

@@ -41,7 +41,7 @@ public class EnableSafeSEH : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2019.DoNotMarkWritableSectionsAsShared.cs

@@ -40,7 +40,7 @@ public class DoNotMarkWritableSectionsAsShared : PEBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2021.DoNotMarkWritableSectionsAsExecutable.cs

@@ -42,7 +42,7 @@ public class DoNotMarkWritableSectionsAsExecutable : PEBinarySkimmerBase
 
         private const int PAGE_SIZE = 0x1000;
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2022.SignSecurely.cs

@@ -39,7 +39,7 @@ public class SignSecurely : WindowsBinarySkimmerBase
                     nameof(RuleResources.NotApplicable_InvalidMetadata)
                 };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             reasonForNotAnalyzing = null;
             return AnalysisApplicability.ApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2024.EnableSpectreMitigations.cs

@@ -90,7 +90,7 @@ public IEnumerable<IOption> GetOptions()
         // Please do not access this field outside of this class and unit tests.
         internal static ConcurrentDictionary<MachineFamily, CompilerVersionToMitigation[]> compilerData = null;
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs

@@ -41,7 +41,7 @@ public class EnableShadowStack : WindowsBinaryAndPdbSkimmerBase
             nameof(RuleResources.NotApplicable_InvalidMetadata)
         };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability notApplicable = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2026.EnableMicrosoftCompilerSdlSwitch.cs

@@ -38,7 +38,7 @@ public class EnableMicrosoftCompilerSdlSwitch : WindowsBinaryAndPdbSkimmerBase
             nameof(RuleResources.NotApplicable_InvalidMetadata)
         };
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability notApplicable = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA2027.EnableSourceLink.cs

@@ -38,7 +38,7 @@ public override void Initialize(BinaryAnalyzerContext context)
             base.Initialize(context);
         }
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             // Source Link is supported on the C# compiler and MSVC only.
             if (!target.PE.IsManaged && target.Pdb != null && !target.PE.IsTargetCompiledWithMsvc(target.Pdb))

src/BinSkim.Rules/PERules/BA2029.EnableIntegrityCheck.cs

@@ -47,7 +47,7 @@ public class EnableIntegrityCheck : PEBinarySkimmerBase
 
         public const uint IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY = 0x0080;
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             PE portableExecutable = target.PE;
             AnalysisApplicability notApplicable = AnalysisApplicability.NotApplicableToSpecifiedTarget;

src/BinSkim.Rules/PERules/BA4001.ReportPortableExecutableCompilerData.cs

@@ -42,7 +42,7 @@ public IEnumerable<IOption> GetOptions()
             }.ToImmutableArray();
         }
 
-        public override AnalysisApplicability CanAnalyzePE(PEBinary target, PropertiesDictionary policy, out string reasonForNotAnalyzing)
+        public override AnalysisApplicability CanAnalyzePE(PEBinary target, BinaryAnalyzerContext context, out string reasonForNotAnalyzing)
         {
             reasonForNotAnalyzing = null;
             return AnalysisApplicability.ApplicableToSpecifiedTarget;