winchecksec icon indicating copy to clipboard operation
winchecksec copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

Issue #82 Adds -d and -V flags, Add unsupported RFG notice

Open bonafideduck opened this issue 3 years ago • 9 comments

trailofbits/winchecksec#82

  • Adds a -d flag to the output for those that don't want to pipe through a JSON formatter.
  • Documents the -V flag.
  • This adds a warning to the RFG test that Microsoft never released this capability.

bonafideduck avatar Oct 14 '20 21:10 bonafideduck

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Oct 14 '20 21:10 CLAassistant

Thanks @bonafideduck! I'll take a look at this in a bit.

woodruffw avatar Oct 14 '20 22:10 woodruffw

It seems to be failing in the tests. I did my work on linux, so perhaps there is a difference in the compilers. My c++ is not strong, so perhaps it will be obvious to you.

bonafideduck avatar Oct 15 '20 01:10 bonafideduck

Thanks for submitting this. I think we're going to pass on the -d functionality for now, at least until Winchecksec provides lower-maintenance APIs for implementing it. Otherwise, your changes look good!

woodruffw avatar Oct 15 '20 14:10 woodruffw

It is your tool. So I wont push hard.

I wish you would reconsider. Although visible in the json, statements like something not being possible on 64 bits in an easily readable format saves a lot of time.

bonafideduck avatar Oct 15 '20 15:10 bonafideduck

I wish you would reconsider. Although visible in the json, statements like something not being possible on 64 bits in an easily readable format saves a lot of time.

Yeah, I'm sympathetic. I do think this is a feature we'd like in the medium-term, but the current Checksec API is misdesigned in a few places that make me wary of adding it as-is.

To sum them up:

  • JSON generation is currently part of the API/ABI for the Winchecksec library, which means that library consumers have a public ABI dependency on our vendored version of nlohmann::json. It should really just be part of the CLI (i.e., completely encapsulated in main.cpp).

  • We currently don't have a clean way to enumerate/iterate over all Checksec checks, since each is implemented as a member function. We should really replace the current operator json() weirdness with something that returns an STL container for simple iteration (probably something like std::vector<std::tuple<std::string, MitigationReport>>). From there, a "detailed" output mode would be pretty simple.

woodruffw avatar Oct 15 '20 16:10 woodruffw

Hi, I apologize for not updating this PR. I was waiting for a response from Zoom Legal about the Contributor License Agreement. They said that this was a bit too broad of an agreement in that I wasn't just signing for this action, but the actions of anyone in Zoom. Legal said they'd be willing to discuss a less broad license.

bonafideduck avatar Oct 23 '20 12:10 bonafideduck

@bonafideduck No problem! I'll raise this internally today and see if we can come up with a solution.

woodruffw avatar Oct 26 '20 16:10 woodruffw

@bonafideduck I think there may be some confusion here. This CLA should only apply to you, individually, not your entire company. Can you have them email me @ [email protected] and I can sort it out? Thanks!

dguido avatar Oct 26 '20 16:10 dguido