BA2004.EnableSecureSourceCodeHashing now will no longer generate fa…

…lse positives on precompiled headers (#965)

* FPS: `BA2004.EnableSecureSourceCodeHashing` now will no longer generate false positives on precompiled headers, they are always without hash.

* Update Baseline

ReleaseHistory.md

@@ -16,6 +16,7 @@
 - NEW => new feature 
 
 ## UNRELEASED
+* FPS: `BA2004.EnableSecureSourceCodeHashing` now will no longer generate false positives on precompiled headers, they are always without hash. [#965](https://github.com/microsoft/binskim/pull/965)
 
 ## **v4.2.0**
 * DEP: Remove `Microsoft.CodeAnalysis`. [#934](https://github.com/microsoft/binskim/pull/934)

docs/FunctionalTestBuildScripts.md

@@ -215,6 +215,10 @@ _Yes_Manual_FORCE_INTEGRITY: `/INTEGRITYCHECK` and then use tool to Manually set
 
 The Visual Studio 2022 "empty console application" template, compiled as Debug|x64.  The `/PDBPageSize:8192` linker option set page size to 8192.
 
+## Native_x64_VS2022_WithPCH_[sha256/sha1].exe
+
+The Visual Studio 2022 default C++ Console template, compiled as Debug|x64. In C++ Precompiled Headers setting, set to /Yc, use file name `apch.h` and set output file to `$(IntDir)renamedapch.pch`.
+
 ## Sha256SignedUntrustedRoot.exe
 
 The Visual Studio 2022 default executable template, in project property signing tab enable sign the assembly with a test certificate with sha256RSA.

src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs

@@ -173,21 +173,10 @@ public void AnalyzeNativeBinaryAndPdb(BinaryAnalyzerContext context)
                                 // assembly, a Win RT API 'metadata' file.
                                 continue;
                             }
-                            else if (pchFileName != string.Empty)
+                            else if (sf.FileName.EndsWith(".pch"))
                             {
-                                // 2. The file used to create a precompiled header using the /Yc switch
-                                // TODO - We need a prepass on the library / final link to determine which file was
-                                //        used to create the pch, as this is the file that will have a HashType.None
-                                // 3. The pch file itself
-                                if (sfName == Path.GetFileName(pchFileName))
-                                {
-                                    continue;
-                                }
-                                // TODO - check this against the filename used to create the pch.  For now just let it pass
-                                else // if(sfName == pchCreationTUFileName)
-                                {
-                                    continue;
-                                }
+                                // Precompiled headers currently does not emit hash.
+                                continue;
                             }
                         }
                     }

src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/MixedMode_x64_VS2013_Default.dll.sarif

@@ -69,6 +69,27 @@
             }
           ]
         },
+        {
+          "ruleId": "BA2004",
+          "ruleIndex": 2,
+          "message": {
+            "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
+            "arguments": [
+              "MixedMode_x64_VS2013_Default.dll",
+              "Microsoft (R) Optimizing Compiler : cxx : 18.0.21005.1 : [directly linked] [No hash value present] (Stdafx.obj)\r\n"
+            ]
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x64_VS2013_Default.dll",
+                  "index": 0
+                }
+              }
+            }
+          ]
+        },
         {
           "ruleId": "BA2004",
           "ruleIndex": 2,
@@ -77,7 +98,7 @@
             "id": "Error_NativeWithInsecureDirectCompilands",
             "arguments": [
               "MixedMode_x64_VS2013_Default.dll",
-              "Microsoft (R) Optimizing Compiler : cxx : 18.0.21005.1 : [directly linked] [MD5] (.NETFramework,Version=v4.5.AssemblyAttributes.obj,AssemblyInfo.obj,MixedMode_x64_VS2013_Default.obj,Stdafx.obj)\r\n"
+              "Microsoft (R) Optimizing Compiler : cxx : 18.0.21005.1 : [directly linked] [MD5] (.NETFramework,Version=v4.5.AssemblyAttributes.obj,AssemblyInfo.obj,MixedMode_x64_VS2013_Default.obj)\r\n"
             ]
           },
           "locations": [

src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/MixedMode_x64_VS2015_Default.exe.sarif

@@ -76,7 +76,7 @@
             "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
             "arguments": [
               "MixedMode_x64_VS2015_Default.exe",
-              "Microsoft (R) Optimizing Compiler : cxx : 19.0.24215.1 : [directly linked] [No hash value present] (.NETFramework,Version=v4.5.2.AssemblyAttributes.obj)\r\n"
+              "Microsoft (R) Optimizing Compiler : cxx : 19.0.24215.1 : [directly linked] [No hash value present] (.NETFramework,Version=v4.5.2.AssemblyAttributes.obj,stdafx.obj)\r\n"
             ]
           },
           "locations": [

src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/MixedMode_x86_VS2013_Default.exe.sarif

@@ -47,6 +47,27 @@
             }
           ]
         },
+        {
+          "ruleId": "BA2004",
+          "ruleIndex": 1,
+          "message": {
+            "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
+            "arguments": [
+              "MixedMode_x86_VS2013_Default.exe",
+              "Microsoft (R) Optimizing Compiler : cxx : 18.0.21005.1 : [directly linked] [No hash value present] (stdafx.obj)\r\n"
+            ]
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/MixedMode_x86_VS2013_Default.exe",
+                  "index": 0
+                }
+              }
+            }
+          ]
+        },
         {
           "ruleId": "BA2004",
           "ruleIndex": 1,
@@ -55,7 +76,7 @@
             "id": "Error_NativeWithInsecureDirectCompilands",
             "arguments": [
               "MixedMode_x86_VS2013_Default.exe",
-              "Microsoft (R) Optimizing Compiler : cxx : 18.0.21005.1 : [directly linked] [MD5] (.NETFramework,Version=v4.5.AssemblyAttributes.obj,AssemblyInfo.obj,MixedMode_x86_VS2013_Default.obj,stdafx.obj)\r\n"
+              "Microsoft (R) Optimizing Compiler : cxx : 18.0.21005.1 : [directly linked] [MD5] (.NETFramework,Version=v4.5.AssemblyAttributes.obj,AssemblyInfo.obj,MixedMode_x86_VS2013_Default.obj)\r\n"
             ]
           },
           "locations": [

src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/MixedMode_x86_VS2015_Default.exe.sarif

@@ -54,7 +54,7 @@
             "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
             "arguments": [
               "MixedMode_x86_VS2015_Default.exe",
-              "Microsoft (R) Optimizing Compiler : cxx : 19.0.24215.1 : [directly linked] [No hash value present] (.NETFramework,Version=v4.5.2.AssemblyAttributes.obj)\r\n"
+              "Microsoft (R) Optimizing Compiler : cxx : 19.0.24215.1 : [directly linked] [No hash value present] (.NETFramework,Version=v4.5.2.AssemblyAttributes.obj,stdafx.obj)\r\n"
             ]
           },
           "locations": [