[HN Gopher] Microsoft Application Inspector
___________________________________________________________________
Microsoft Application Inspector
Author : pjmlp
Score : 291 points
Date : 2020-01-28 14:57 UTC (8 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| kozhevnikov wrote:
| Sounds like builtwith.com for codebases. I wonder if one can run
| it against all company repos and generate an accurate
| stackshare.io alternative.
| whatsmyusername wrote:
| Unusable on osx. It fires off 20+ notarization errors on run.
| wongarsu wrote:
| I'm simultaneously amused and saddened that even apps released by
| Microsoft('s github organization) don't support white-space in
| paths.
| mitchty wrote:
| > The tool supports scanning various programming languages
| including C, C++, C#, Java, JavaScript, HTML, Python,
| Objective-C, Go, Rudy, Powershell and more and includes html,
| json and text output formats with the default being an html
| report similar to the one shown here.
|
| Is Rudy meant to be Ruby?
| mikerg87 wrote:
| Yes - its a typo. There is a pull request for it already.
|
| https://github.com/Microsoft/ApplicationInspector/pulls
| akavel wrote:
| I think an important warning should be, that it can maybe to some
| extent tell _" what's [for sure] in it"_, but I suspect it
| definitely shouldn't be used to verify _" what's NOT in it"_, as
| in any kind of "security verification". Meaning, if you want to
| hide some code/malware snippet from it on purpose, I assume
| you'll definitely find a way to do that. And even if not on
| purpose, it may still happen accidentally.
| gregmac wrote:
| This looks like something that would be nice to have integrated
| in nuget.org, showing the report output for every package/version
| (and maybe highlighting deltas across versions).
|
| If you're running this across your own project output, especially
| for a big code base, it's definitely not going to be as useful as
| across each dependency. For example your app having "analytics
| services" and "outbound http connections" might be totally
| normal, but if a library you're using for encryption adds those,
| that would be a concern.
| nickspag wrote:
| In regards to the first line of your comment, check out
| https://www.fuget.org. It does exactly that.
| azinman2 wrote:
| Sorry, where's the app inspector output in this?
|
| https://www.fuget.org/packages/System.Net.Http for example
| doesn't show me all of that.
| woohoo7676 wrote:
| This is a great idea - would love to have this info integrated
| into nuget.
|
| Most likely people aren't going bother to run this on
| dependencies themselves (not to mention every version update),
| so having the info surfaced at the point of decision would be
| very useful and reach a ton more folks.
| joelverhagen wrote:
| Hey folks, I'm on the NuGet team and I noticed this thread
| this morning. This is the first I've heard of Application
| Inspector (Microsoft is a big place!) but the tool looks
| awesome and the output is easy to understand for a variety of
| experience levels. The idea of integrating with NuGet sounds
| very promising! Caveats need to be investigated, i.e. my
| guess is the report is not exhaustive since code could
| perhaps call scary APIs in esoteric ways but perhaps there is
| value even if it covers just MOST of the cases.
|
| I've tracked a feature request on GitHub here attempting to
| represent what was suggested here:
|
| https://github.com/NuGet/NuGetGallery/issues/7824
|
| Add additional comments if you have thoughts on how it should
| work or anything else. Our backlog is pretty full right now
| but we'll update this GitHub issue if there is movement.
| 1wd wrote:
| In addition / instead of showing the results in the web UI,
| it would be valuable to make Nuget enforce user selected
| criteria. When referencing a package I would like to
| annotate that reference with some criteria that are
| currently met (e.g. the referenced package makes no network
| calls) and then later for a package upgrade Nuget would
| automatically check if these criteria are still met, or
| fail the upgrade.
| guydalf wrote:
| See
| https://github.com/microsoft/ApplicationInspector/wiki/6.-Un...
| that answers questions on choice of icons and
| https://github.com/microsoft/ApplicationInspector/wiki/2.1-F...
| that talks about language support.
| ocdtrekkie wrote:
| I could see this as handy when I'm trying to troubleshoot an
| opaque/proprietary/legacy application. Things like knowing it's
| talking to environment variables or the registry would be a lot
| of help drilling down into what it's touching so I know where to
| look for what's breaking it.
| guydalf wrote:
| Good point. At a minimum it should clearly state that while the
| tool didn't "find" such a feature it should not be taken as a
| security reliable result. See
| https://github.com/microsoft/ApplicationInspector/wiki/6.-Un...
| SamuelAdams wrote:
| I wonder if they could marry this with ILSpy [1]. Basically point
| it at a compiled program, de-compile it, then analyze the
| decompiled code to see what it's doing. Might be useful in
| malware analysis and other areas.
|
| [1]: https://github.com/icsharpcode/ILSpy
| SloopJon wrote:
| I don't see any mention of the languages that it recognizes, but
| a perusal of some of the JSON files leads me to believe that this
| handles many different languages. It seems that it's by way of
| regular expressions, though, not language-specific parsing.
| protanopia wrote:
| The README has been updated since your comment to include:
|
| > The tool supports scanning various programming languages
| including C, C++, C#, Java, JavaScript, HTML, Python,
| Objective-C, Go, Rudy, Powershell and more
| neves wrote:
| This info is in the front page:
|
| The tool supports scanning various programming languages
| including C, C++, C#, Java, JavaScript, HTML, Python,
| Objective-C, Go, Rudy, Powershell and more and includes html,
| json and text output formats with the default being an html
| report
| acidictadpole wrote:
| Ah. The old classic Rudy.
| dana321 wrote:
| What about Rudt and Godlang?
| SloopJon wrote:
| Not sure how I missed that. The wiki page it links to has a
| nice list, which is apparently related to Visual Studio Code.
| kozhevnikov wrote:
| Does it support HTML? Can one parse HTML with regex?
| singlow wrote:
| You can't parse it _properly_ with a Regular Expression, but
| you can parse it with regex-like systems. However I doubt it
| is parsing outright - it only has to look for certain
| keywords and patterns that indicate certain behaviors.
| guydalf wrote:
| Correct. We don't need to parse it per se just look for use
| of features that are easy to identify like XmlHttpRequest,
| Json.Parse use etc.
| JadeNB wrote:
| Boy, are you in for a fun StackExchange read:
| https://stackoverflow.com/a/1732454 .
| SloopJon wrote:
| It doesn't appear to be parsing at all. It's just looking for
| patterns.
|
| If you look at languages.json in RulesEngine/Resources, files
| with the extension .html (and some others) are recognized as
| "html", with type "code": { "name":
| "html", "extensions": [ ".html", ".htm", ".cshtml",
| ".tmpl" ], "type": "code" },
|
| This sets the scope for the patterns in
| AppInspector/rules/default; e.g., {
| "name": "Content Management Framework: Wordpress",
| "id": "AI021200", "description": "Development
| Framework: Wordpress", "applies_to": [ "javascript",
| "html" ], "tags": [ "Framework.CMS.Wordpress" ],
| "severity": "moderate", "patterns": [ {
| "pattern": "wordpress", "type": "string",
| "scopes": [ "code", "comment" ], "modifiers": [
| "i" ], "confidence": "high" } ]
| },
|
| This seems like it would be prone to a lot of false
| positives, but I haven't tried the tool.
| c0restraint wrote:
| Weird, that first screenshot [0] contains Audible's logo [1]
| which is an Amazon company (far right icon in the first row of
| icons).
|
| It looks like they are repurposing Audible's logo to mean
| "Dynamic Command Execution" [2]
|
| [0] https://user-
| images.githubusercontent.com/47648296/72893326-...
|
| [1] https://m.media-
| amazon.com/images/G/01/audibleweb/arya/navig...
|
| [2] https://user-
| images.githubusercontent.com/47648296/71859554-...
| mttjj wrote:
| I spy logos for GitHub, Wordpress, Adobe, Linux, and Facebook
| as well. Not sure what they represent though. I would imagine
| that most of them make sense (Linux is an OS, Facebook is a
| cloud service, GitHub is a development tool, etc). The only one
| I'm curious about is Adobe. "Active Content" meaning Flash?
|
| EDIT: Thanks to xroot's comment above, it is indeed Adobe
| Flash.
| wongarsu wrote:
| There's also the Adobe Acrobat icon (second to last in
| "Active Content"), probably to signify PDF.
| xhroot wrote:
| Heh, the icon is named "audible":
| "displayName": "Dynamic command execution",
| "detectedIcon": "fab fa-audible"
|
| It's probably unintentionally used by an engineer unfamiliar
| with the product as audible is more common as a descriptive
| word than as a brand.
|
| https://github.com/microsoft/ApplicationInspector/blob/08c91...
| XaspR8d wrote:
| Yeah this happens pretty often, though I'm surprised it
| continues with Font Awesome's organizational changes: The
| "fab" prefix is specifically supposed to communicate that
| it's an icon from the "Brands" style. (Non-brand icons use
| "fas".) If you find yourself using a "fab" icon generically,
| you might want to double-check what it's _supposed_ to
| represent...
| ehsankia wrote:
| Honestly, a lot of times when I'm doing quick designs, I
| just open the font page with all the images and just
| visually pick any that looks best. Definitely needed some
| sort of legal pass before release.
| dstaley wrote:
| Just in case anyone's curious what these reports look like, I've
| uploaded the reports for curl, grep, and chromium here:
| https://gracious-jang-bc0194.netlify.com/
| mkup wrote:
| Wouldn't this analyzer upload entire source code to Microsoft as
| telemetry?
|
| /s
| thomasgt wrote:
| I guess you could always analyze the analyzer to be sure...
| bdcravens wrote:
| Whatever source code that might add is pretty small compared to
| what is already on Github, which Microsoft owns.
| tumetab1 wrote:
| > The application is a client .NET Core based tool so it will
| run on Windows, Linux or macOS and does not require elevated
| privileges and there is no local database or network
| communications or telemetry.
| [deleted]
| neves wrote:
| I'd love to see the generated output of famous programs like
| grep, curl or chromium. It would give a better idea about what it
| does.
| dstaley wrote:
| Here you go! https://gracious-jang-bc0194.netlify.com/
| guydalf wrote:
| Just wanted to introduce myself as the lead developer on the
| tool. Valid comments and questions have been dropped here and
| I've responded to a couple of them already by posting
| clarifications below and on the project wiki. Yes we are thinking
| of using the tool for repos like NuGet and maybe Github as a
| service that automatically identifies detected features for each
| component. Stay tuned and keep the ideas coming. Happy to answer
| any further questions.
| Qahlel wrote:
| as a non-dev, may I ask what this is?
| guydalf wrote:
| Over 93% of new software applications today use open source
| from public repositories of source code or other third party
| code and average over 100 components code that they didn't
| directly write. Often they have only a partial understanding
| of what is in them due to time constraints to release their
| products. That's a big attack surface and knowing what is in
| the code that developers choose to build their products with
| is becoming urgent. This tool scans code and reports the
| types of features found in it to help developers decide
| whether it does more than they expected from a features
| standpoint. See the project site and wiki for more
| https://github.com/Microsoft/ApplicationInspector
| resters wrote:
| This has been sorely needed for a long time. Thank you for
| building it!
| proncton wrote:
| My team has been desperately searching for something like this.
| We actually started the effort to build our own, and were well
| into the prototyping phase. You may see some contributions from
| us in the future.
| Mountain_Skies wrote:
| Maybe someday it can also work with Azure Devops to produce
| report artifacts as part of a build pipeline.
| nathell wrote:
| I pointed it at my Clojure project [1]. It correctly inferred [2]
| that the project is doing multithreaded network connections,
| which is nice, especially given that Clojure's a rather niche
| language.
|
| It quite confidently pointed out an "App container" category, on
| grounds of the repo containing a circleci/config.yml, which is...
| technically correct, I guess, but less than useful.
|
| [1]: https://github.com/nathell/skyscraper/ [2]:
| http://pliki.danieljanus.pl/appinspector-skyscraper/
___________________________________________________________________
(page generated 2020-01-28 23:00 UTC)