diff --git a/src/BinSkim.Rules/PERules/BA2006.BuildWithSecureTools.cs b/src/BinSkim.Rules/PERules/BA2006.BuildWithSecureTools.cs index b3ba4e1d..0880478c 100644 --- a/src/BinSkim.Rules/PERules/BA2006.BuildWithSecureTools.cs +++ b/src/BinSkim.Rules/PERules/BA2006.BuildWithSecureTools.cs @@ -46,8 +46,7 @@ public IEnumerable GetOptions() return new List { AllowedLibraries, - MinimumToolVersions, - AdvancedMitigationsEnforced + MinimumToolVersions }.ToImmutableArray(); } @@ -63,10 +62,6 @@ public IEnumerable GetOptions() new PerLanguageOption( AnalyzerName, nameof(AllowedLibraries), defaultValue: () => BuildAllowedLibraries()); - public static PerLanguageOption AdvancedMitigationsEnforced { get; } = - new PerLanguageOption( - AnalyzerName, nameof(AdvancedMitigationsEnforced), defaultValue: () => AdvancedMitigations.None); - public override void Initialize(BinaryAnalyzerContext context) { if (context.Policy == null) { return; } @@ -246,10 +241,8 @@ and a SymTagCompilandDetails tag (high detail). bool foundIssue = actualVersion < minimumVersion; - AdvancedMitigations advancedMitigations = context.Policy.GetProperty(AdvancedMitigationsEnforced); if (!foundIssue && - target.PE != null && - (advancedMitigations & AdvancedMitigations.Spectre) == AdvancedMitigations.Spectre) + target.PE != null) { var machineType = (ExtendedMachine)target.PE.Machine; @@ -257,21 +250,24 @@ and a SymTagCompilandDetails tag (high detail). // Now we'll retrieve relevant compiler mitigation details to // ensure this object module's build and revision meet // expectations. - CompilerMitigations newMitigationData = + CompilerMitigations compilerMitigation = EnableSpectreMitigations.GetAvailableMitigations(context, machineType, actualVersion); - // Current compiler version does not support Spectre mitigations. - foundIssue = !newMitigationData.HasFlag(CompilerMitigations.D2GuardSpecLoadAvailable) - && !newMitigationData.HasFlag(CompilerMitigations.QSpectreAvailable); + // Determine if required Spectre mitigations are missing + bool hasNoMitigations = compilerMitigation.HasFlag(CompilerMitigations.None); + bool lacksSpectreMitigations = + !compilerMitigation.HasFlag(CompilerMitigations.D2GuardSpecLoadAvailable) && + !compilerMitigation.HasFlag(CompilerMitigations.QSpectreAvailable); - if (foundIssue) + if (hasNoMitigations || lacksSpectreMitigations) { - // Get the closest compiler version that has mitigations--i.e. if the user is using a 19.0 (VS2015) compiler, we should be recommending an upgrade to the - // 19.0 version that has the mitigations, not an upgrade to a 19.10+ (VS2017) compiler. - // Limitation--if there are multiple 'upgrade to' versions to recommend, this just going to give users the last one we see in the error. - minCompilerVersion = EnableSpectreMitigations.GetClosestCompilerVersionWithSpectreMitigations(context, machineType, actualVersion); + foundIssue = true; + + // Attempt to find the closest compiler version that supports Spectre mitigations + minCompilerVersion = EnableSpectreMitigations.GetClosestCompilerVersionWithSpectreMitigations( + context, machineType, actualVersion); - // Indicates Spectre mitigations are not supported on this platform. We won't flag this case. + // If no suitable compiler version is found, Spectre mitigations are not supported on this platform if (minCompilerVersion == null) { foundIssue = false;