Skip to content

false positive BA2004:Warning_NativeWithInsecureStaticLibraryCompilands for managed C++ (C++/CLI) [w/repro] #1068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mababey opened this issue Apr 25, 2025 · 0 comments
Open

false positive BA2004:Warning_NativeWithInsecureStaticLibraryCompilands for managed C++ (C++/CLI) [w/repro] #1068

mababey opened this issue Apr 25, 2025 · 0 comments

Comments

@mababey
Copy link

mababey commented Apr 25, 2025

We have some managed C++ DLLs flagged by BinSkim for BA2004, specifically for NativeWithInsecureStaticLibraryCompilands, even with /ZH:SHA_256 applied. Checking the binaries with cvtdump -sf, you can see the correct hashes for the native code, but references to managed assemblies with no hash details.

BA2004ManagedCppRepro.zip

Repro:

  • Open attached solution BA2004ManagedCppRepro in VS2022.
  • Build Release | x64.
  • Run binskim analyze x64\Release\BA2004ManagedCppRepro.dll.

SARIF will report:

{
  "ruleId": "BA2004",
  "ruleIndex": 0,
  "message": {
    "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
    "arguments": [
      "BA2004ManagedCppRepro.dll",
      "Microsoft (R) Optimizing Compiler : cxx : 19.43.34810.0 : [directly linked] [No hash value present] (Dummy.obj)\r\n"
    ]
  }
}

You can check cvdump -sf x64\Release\BA2004ManagedCppRepro.dll:

** Module: "[TRUNCATED]\BA2004ManagedCppRepro\x64\Release\Dummy.obj"

     0 C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.7.2\System.dll (None)
     1 [TRUNCATED]\BA2004ManagedCppRepro\Dummy.cpp (SHA_256: 64E6D14E707AF8FDCB77BE5A5CA5BBBBF0C1714BFF164269DF00D5538D51DDE1)
     2 C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.7.2\mscorlib.dll (None)
     3 [TRUNCATED]\BA2004ManagedCppRepro\Dummy.h (SHA_256: B0B1F9855D76077F0C74C90470F60754BC7F15FE4699672D40F7E980739ED397)
     4 [TRUNCATED]\BA2004ManagedCppRepro\predefined C++ types (compiler internal) (None)
     5 [TRUNCATED]\BA2004ManagedCppRepro\predefined C++\CLI attribute types (compiler internal) (None)

Looking at the implementation for BA2004 there's variability in whether object files will be flagged, depending on the order in which the sources show up:

    // We only need to check a single source file per compiland, as the relevant
    // command-line options will be applied to all files in the translation unit.

So the way I've found to make it repro more reliably, is to add explicit references like:

  <ItemGroup>
    <Reference Include="System" />
  </ItemGroup>

which seems to make the .NET assemblies show up first in the "sources".

The warning class has some hardcoded exclusions for expected toolset stuff we see in the dump, like "predefined C++ types (compiler internal)", but not possible managed references.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mababey