Exclude ARM Binaries from BA2025 analysis

src/BinSkim.Rules/PERules/BA2025.EnableShadowStack.cs

@@ -66,6 +66,12 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper
                 return notApplicable;
             }
 
+            if (portableExecutable.Machine == Machine.Arm || portableExecutable.Machine == Machine.ArmThumb2)
+            {
+                reasonForNotAnalyzing = MetadataConditions.ImageIsArmBinary;
+                return notApplicable;
+            }
+
             reasonForNotAnalyzing = null;
             return AnalysisApplicability.ApplicableToSpecifiedTarget;
         }

src/BinSkim.Sdk/MetadataConditions.cs

@@ -10,6 +10,7 @@ public static class MetadataConditions
         public static readonly string ImageIsNotExe = SdkResources.MetadataCondition_ImageIsNotExe;
         public static readonly string ImageIsNotMachO = SdkResources.MetadataCondition_ImageIsNotMachO;
         public static readonly string CouldNotLoadPdb = SdkResources.MetadataCondition_CouldNotLoadPdb;
+        public static readonly string ImageIsArmBinary = SdkResources.MetadataCondition_ImageIsArmBinary;
         public static readonly string ImageIsDebugOnly = SdkResources.MetadataCondition_ImageIsDebugOnly;
         public static readonly string ImageIsNotSigned = SdkResources.MetadataCondition_ImageIsNotSigned;
         public static readonly string ImageIsWixBinary = SdkResources.MetadataCondition_ImageIsWixBinary;

src/BinSkim.Sdk/SdkResources.resx

@@ -243,4 +243,7 @@
   <data name="MetadataCondition_ImageIsArm64BitBinary" xml:space="preserve">
     <value>image is an ARM64 binary</value>
   </data>
+  <data name="MetadataCondition_ImageIsArmBinary" xml:space="preserve">
+    <value>image is an ARM binary</value>
+  </data>
 </root>

src/ReleaseHistory.md

@@ -7,6 +7,7 @@
 * Bump ELFSharp from 2.14.0 to 2.15.0. [#631](https://github.com/microsoft/binskim/pull/631)
 * FEATURE: Enable BinSkim for MacOS. [#576](https://github.com/microsoft/binskim/pull/576)
 * Bump Sarif.Sdk by updating submodule from [4e9f606 to fc9a9df](https://github.com/microsoft/sarif-sdk/compare/4e9f606bb0e88428866e253352cdc70dc68f98cb...fc9a9dfb865096b5aaa9fa3651854670940f7459). [#638](https://github.com/microsoft/binskim/pull/638)
+* BUGFIX: Fix `BA2025.EnableShadowStack` warning for ARM Binaries which cannot use `/CETCOMPAT`. [#](https://github.com/microsoft/binskim/pull/)
 
 ## **v1.9.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.9.4)
 

src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs

@@ -248,6 +248,30 @@ private void VerifyThrows<ExceptionType>(
             }
         }
 
+        private void VerifyApplicabililtyWithReason(
+            BinarySkimmer skimmer,
+            HashSet<string> applicabilityConditions,
+            string expectedReasonForNotAnalyzing,
+            AnalysisApplicability expectedApplicability = AnalysisApplicability.NotApplicableToSpecifiedTarget,
+            bool useDefaultPolicy = false)
+        {
+
+            string ruleName = skimmer.GetType().Name;
+            string testFilesDirectory = GetTestDirectoryFor(ruleName);
+            testFilesDirectory = Path.Combine(Environment.CurrentDirectory, "FunctionalTestData", testFilesDirectory);
+            testFilesDirectory = Path.Combine(testFilesDirectory, "NotApplicable");
+
+            HashSet<string> targets = this.GetTestFilesMatchingConditions(applicabilityConditions);
+
+            VerifyApplicabilityResults(
+                skimmer,
+                targets,
+                useDefaultPolicy,
+                expectedApplicability,
+                ruleName,
+                expectedReasonForNotAnalyzing);
+        }
+
         private void VerifyApplicability(
             BinarySkimmer skimmer,
             HashSet<string> applicabilityConditions,
@@ -261,8 +285,6 @@ private void VerifyApplicability(
             testFilesDirectory = Path.Combine(Environment.CurrentDirectory, "FunctionalTestData", testFilesDirectory);
             testFilesDirectory = Path.Combine(testFilesDirectory, "NotApplicable");
 
-            var context = new BinaryAnalyzerContext();
-
             HashSet<string> targets = this.GetTestFilesMatchingConditions(applicabilityConditions);
 
             if (Directory.Exists(testFilesDirectory))
@@ -276,6 +298,88 @@ private void VerifyApplicability(
                 }
             }
 
+            VerifyApplicabilityResults(
+                skimmer,
+                targets,
+                useDefaultPolicy,
+                expectedApplicability,
+                ruleName,
+                expectedReasonForNotAnalyzing);
+
+            //var logger = new TestMessageLogger();
+            //context.Logger = logger;
+
+            //var sb = new StringBuilder();
+
+            //foreach (string target in targets)
+            //{
+            //    string extension = Path.GetExtension(target);
+
+            //    context = this.CreateContext(logger, null, target);
+            //    if (!context.IsValidAnalysisTarget) { continue; }
+
+            //    if (useDefaultPolicy)
+            //    {
+            //        context.Policy = new PropertiesDictionary();
+            //    }
+
+            //    context.Rule = skimmer;
+
+            //    AnalysisApplicability applicability = skimmer.CanAnalyze(context, out string reasonForNotAnalyzing);
+
+            //    if (applicability != expectedApplicability)
+            //    {
+            //        // Generates message such as the following:
+            //        // "'BA2025:EnableShadowStack' - 'CanAnalyze' did not correctly indicate target applicability
+            //        // (unexpected return was 'NotApplicableToSpecifiedTarget'): ARM64_CETShadowStack_NotApplicable.exe"
+            //        sb.AppendLine(
+            //            string.Format(
+            //                "'{0}:{1}' - 'CanAnalyze' did not correctly indicate target applicability (unexpected return was '{2}'): {3}",
+            //                skimmer.Id,
+            //                ruleName,
+            //                applicability,
+            //                Path.GetFileName(target)));
+
+            //        continue;
+            //    }
+
+            //    if (expectedReasonForNotAnalyzing != null && reasonForNotAnalyzing != expectedReasonForNotAnalyzing)
+            //    {
+            //        // Generates message such as the following:
+            //        // "'BA2025:EnableShadowStack' - 'CanAnalyze' produced expected outcome but unexpected reason identified
+            //        // (unexpected return was 'image is an ARM64 binary' but 'test' was expected): ARM64_CETShadowStack_NotApplicable.exe"
+            //        sb.AppendLine(
+            //            string.Format(
+            //                "'{0}:{1}' - 'CanAnalyze' produced expected outcome but unexpected reason identified (unexpected return was '{2}' but '{3}' was expected): {4}",
+            //                skimmer.Id,
+            //                ruleName,
+            //                reasonForNotAnalyzing,
+            //                expectedReasonForNotAnalyzing,
+            //                Path.GetFileName(target)));
+
+            //        continue;
+            //    }
+            //}
+
+            //if (sb.Length > 0)
+            //{
+            //    this.testOutputHelper.WriteLine(sb.ToString());
+            //}
+
+            //Assert.Equal(0, sb.Length);
+        }
+
+        private void VerifyApplicabilityResults(
+            BinarySkimmer skimmer,
+            HashSet<string> targets,
+            bool useDefaultPolicy,
+            AnalysisApplicability expectedApplicability,
+            string ruleName,
+            string expectedReasonForNotAnalyzing)
+        {
+
+            var context = new BinaryAnalyzerContext();
+
             var logger = new TestMessageLogger();
             context.Logger = logger;
 
@@ -460,6 +564,17 @@ private HashSet<string> GetTestFilesMatchingConditions(HashSet<string> metadataC
                 result.Add(Path.Combine(testFilesDirectory, "DotnetNative_x86_VS2019_UniversalApp.exe"));
             }
 
+            if (metadataConditions.Contains(MetadataConditions.ImageIsArmBinary))
+            {
+                result.Add(Path.Combine(testFilesDirectory, "ARM_CETShadowStack_NotApplicable.exe"));
+            }
+
+            if (metadataConditions.Contains(MetadataConditions.ImageIsArm64BitBinary))
+            {
+                result.Add(Path.Combine(testFilesDirectory, "ARM64_CETShadowStack_NotApplicable.exe"));
+                result.Add(Path.Combine(testFilesDirectory, "ARM64_dotnet_CETShadowStack_NotApplicable.exe"));
+            }
+
             return result;
         }
 
@@ -1166,10 +1281,19 @@ public void BA2025_EnableShadowStack_Fail()
         [Fact]
         public void BA2025_EnableShadowStack_NotApplicable()
         {
-            this.VerifyApplicability(
+            HashSet<string> notApplicableArm64 = new HashSet<string>() { MetadataConditions.ImageIsArm64BitBinary };
+
+            this.VerifyApplicabililtyWithReason(
                 skimmer: new EnableShadowStack(),
-                applicabilityConditions: null,
+                applicabilityConditions: notApplicableArm64,
                 expectedReasonForNotAnalyzing: MetadataConditions.ImageIsArm64BitBinary);
+
+            HashSet<string> notApplicableArm = new HashSet<string>() { MetadataConditions.ImageIsArmBinary };
+
+            this.VerifyApplicabililtyWithReason(
+                skimmer: new EnableShadowStack(),
+                applicabilityConditions: notApplicableArm64,
+                expectedReasonForNotAnalyzing: MetadataConditions.ImageIsArmBinary);
         }
 
         [Fact]