winchecksec
winchecksec copied to clipboard
Issue #82 Adds -d and -V flags, Add unsupported RFG notice
trailofbits/winchecksec#82
- Adds a -d flag to the output for those that don't want to pipe through a JSON formatter.
- Documents the -V flag.
- This adds a warning to the RFG test that Microsoft never released this capability.
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
Thanks @bonafideduck! I'll take a look at this in a bit.
It seems to be failing in the tests. I did my work on linux, so perhaps there is a difference in the compilers. My c++ is not strong, so perhaps it will be obvious to you.
Thanks for submitting this. I think we're going to pass on the -d
functionality for now, at least until Winchecksec provides lower-maintenance APIs for implementing it. Otherwise, your changes look good!
It is your tool. So I wont push hard.
I wish you would reconsider. Although visible in the json, statements like something not being possible on 64 bits in an easily readable format saves a lot of time.
I wish you would reconsider. Although visible in the json, statements like something not being possible on 64 bits in an easily readable format saves a lot of time.
Yeah, I'm sympathetic. I do think this is a feature we'd like in the medium-term, but the current Checksec API is misdesigned in a few places that make me wary of adding it as-is.
To sum them up:
-
JSON generation is currently part of the API/ABI for the Winchecksec library, which means that library consumers have a public ABI dependency on our vendored version of
nlohmann::json
. It should really just be part of the CLI (i.e., completely encapsulated inmain.cpp
). -
We currently don't have a clean way to enumerate/iterate over all
Checksec
checks, since each is implemented as a member function. We should really replace the currentoperator json()
weirdness with something that returns an STL container for simple iteration (probably something likestd::vector<std::tuple<std::string, MitigationReport>>
). From there, a "detailed" output mode would be pretty simple.
Hi, I apologize for not updating this PR. I was waiting for a response from Zoom Legal about the Contributor License Agreement. They said that this was a bit too broad of an agreement in that I wasn't just signing for this action, but the actions of anyone in Zoom. Legal said they'd be willing to discuss a less broad license.
@bonafideduck No problem! I'll raise this internally today and see if we can come up with a solution.
@bonafideduck I think there may be some confusion here. This CLA should only apply to you, individually, not your entire company. Can you have them email me @ [email protected] and I can sort it out? Thanks!