[HN Gopher] Microsoft Application Inspector ___________________________________________________________________ Microsoft Application Inspector Author : pjmlp Score : 291 points Date : 2020-01-28 14:57 UTC (8 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | kozhevnikov wrote: | Sounds like builtwith.com for codebases. I wonder if one can run | it against all company repos and generate an accurate | stackshare.io alternative. | whatsmyusername wrote: | Unusable on osx. It fires off 20+ notarization errors on run. | wongarsu wrote: | I'm simultaneously amused and saddened that even apps released by | Microsoft('s github organization) don't support white-space in | paths. | mitchty wrote: | > The tool supports scanning various programming languages | including C, C++, C#, Java, JavaScript, HTML, Python, | Objective-C, Go, Rudy, Powershell and more and includes html, | json and text output formats with the default being an html | report similar to the one shown here. | | Is Rudy meant to be Ruby? | mikerg87 wrote: | Yes - its a typo. There is a pull request for it already. | | https://github.com/Microsoft/ApplicationInspector/pulls | akavel wrote: | I think an important warning should be, that it can maybe to some | extent tell _" what's [for sure] in it"_, but I suspect it | definitely shouldn't be used to verify _" what's NOT in it"_, as | in any kind of "security verification". Meaning, if you want to | hide some code/malware snippet from it on purpose, I assume | you'll definitely find a way to do that. And even if not on | purpose, it may still happen accidentally. | gregmac wrote: | This looks like something that would be nice to have integrated | in nuget.org, showing the report output for every package/version | (and maybe highlighting deltas across versions). | | If you're running this across your own project output, especially | for a big code base, it's definitely not going to be as useful as | across each dependency. For example your app having "analytics | services" and "outbound http connections" might be totally | normal, but if a library you're using for encryption adds those, | that would be a concern. | nickspag wrote: | In regards to the first line of your comment, check out | https://www.fuget.org. It does exactly that. | azinman2 wrote: | Sorry, where's the app inspector output in this? | | https://www.fuget.org/packages/System.Net.Http for example | doesn't show me all of that. | woohoo7676 wrote: | This is a great idea - would love to have this info integrated | into nuget. | | Most likely people aren't going bother to run this on | dependencies themselves (not to mention every version update), | so having the info surfaced at the point of decision would be | very useful and reach a ton more folks. | joelverhagen wrote: | Hey folks, I'm on the NuGet team and I noticed this thread | this morning. This is the first I've heard of Application | Inspector (Microsoft is a big place!) but the tool looks | awesome and the output is easy to understand for a variety of | experience levels. The idea of integrating with NuGet sounds | very promising! Caveats need to be investigated, i.e. my | guess is the report is not exhaustive since code could | perhaps call scary APIs in esoteric ways but perhaps there is | value even if it covers just MOST of the cases. | | I've tracked a feature request on GitHub here attempting to | represent what was suggested here: | | https://github.com/NuGet/NuGetGallery/issues/7824 | | Add additional comments if you have thoughts on how it should | work or anything else. Our backlog is pretty full right now | but we'll update this GitHub issue if there is movement. | 1wd wrote: | In addition / instead of showing the results in the web UI, | it would be valuable to make Nuget enforce user selected | criteria. When referencing a package I would like to | annotate that reference with some criteria that are | currently met (e.g. the referenced package makes no network | calls) and then later for a package upgrade Nuget would | automatically check if these criteria are still met, or | fail the upgrade. | guydalf wrote: | See | https://github.com/microsoft/ApplicationInspector/wiki/6.-Un... | that answers questions on choice of icons and | https://github.com/microsoft/ApplicationInspector/wiki/2.1-F... | that talks about language support. | ocdtrekkie wrote: | I could see this as handy when I'm trying to troubleshoot an | opaque/proprietary/legacy application. Things like knowing it's | talking to environment variables or the registry would be a lot | of help drilling down into what it's touching so I know where to | look for what's breaking it. | guydalf wrote: | Good point. At a minimum it should clearly state that while the | tool didn't "find" such a feature it should not be taken as a | security reliable result. See | https://github.com/microsoft/ApplicationInspector/wiki/6.-Un... | SamuelAdams wrote: | I wonder if they could marry this with ILSpy [1]. Basically point | it at a compiled program, de-compile it, then analyze the | decompiled code to see what it's doing. Might be useful in | malware analysis and other areas. | | [1]: https://github.com/icsharpcode/ILSpy | SloopJon wrote: | I don't see any mention of the languages that it recognizes, but | a perusal of some of the JSON files leads me to believe that this | handles many different languages. It seems that it's by way of | regular expressions, though, not language-specific parsing. | protanopia wrote: | The README has been updated since your comment to include: | | > The tool supports scanning various programming languages | including C, C++, C#, Java, JavaScript, HTML, Python, | Objective-C, Go, Rudy, Powershell and more | neves wrote: | This info is in the front page: | | The tool supports scanning various programming languages | including C, C++, C#, Java, JavaScript, HTML, Python, | Objective-C, Go, Rudy, Powershell and more and includes html, | json and text output formats with the default being an html | report | acidictadpole wrote: | Ah. The old classic Rudy. | dana321 wrote: | What about Rudt and Godlang? | SloopJon wrote: | Not sure how I missed that. The wiki page it links to has a | nice list, which is apparently related to Visual Studio Code. | kozhevnikov wrote: | Does it support HTML? Can one parse HTML with regex? | singlow wrote: | You can't parse it _properly_ with a Regular Expression, but | you can parse it with regex-like systems. However I doubt it | is parsing outright - it only has to look for certain | keywords and patterns that indicate certain behaviors. | guydalf wrote: | Correct. We don't need to parse it per se just look for use | of features that are easy to identify like XmlHttpRequest, | Json.Parse use etc. | JadeNB wrote: | Boy, are you in for a fun StackExchange read: | https://stackoverflow.com/a/1732454 . | SloopJon wrote: | It doesn't appear to be parsing at all. It's just looking for | patterns. | | If you look at languages.json in RulesEngine/Resources, files | with the extension .html (and some others) are recognized as | "html", with type "code": { "name": | "html", "extensions": [ ".html", ".htm", ".cshtml", | ".tmpl" ], "type": "code" }, | | This sets the scope for the patterns in | AppInspector/rules/default; e.g., { | "name": "Content Management Framework: Wordpress", | "id": "AI021200", "description": "Development | Framework: Wordpress", "applies_to": [ "javascript", | "html" ], "tags": [ "Framework.CMS.Wordpress" ], | "severity": "moderate", "patterns": [ { | "pattern": "wordpress", "type": "string", | "scopes": [ "code", "comment" ], "modifiers": [ | "i" ], "confidence": "high" } ] | }, | | This seems like it would be prone to a lot of false | positives, but I haven't tried the tool. | c0restraint wrote: | Weird, that first screenshot [0] contains Audible's logo [1] | which is an Amazon company (far right icon in the first row of | icons). | | It looks like they are repurposing Audible's logo to mean | "Dynamic Command Execution" [2] | | [0] https://user- | images.githubusercontent.com/47648296/72893326-... | | [1] https://m.media- | amazon.com/images/G/01/audibleweb/arya/navig... | | [2] https://user- | images.githubusercontent.com/47648296/71859554-... | mttjj wrote: | I spy logos for GitHub, Wordpress, Adobe, Linux, and Facebook | as well. Not sure what they represent though. I would imagine | that most of them make sense (Linux is an OS, Facebook is a | cloud service, GitHub is a development tool, etc). The only one | I'm curious about is Adobe. "Active Content" meaning Flash? | | EDIT: Thanks to xroot's comment above, it is indeed Adobe | Flash. | wongarsu wrote: | There's also the Adobe Acrobat icon (second to last in | "Active Content"), probably to signify PDF. | xhroot wrote: | Heh, the icon is named "audible": | "displayName": "Dynamic command execution", | "detectedIcon": "fab fa-audible" | | It's probably unintentionally used by an engineer unfamiliar | with the product as audible is more common as a descriptive | word than as a brand. | | https://github.com/microsoft/ApplicationInspector/blob/08c91... | XaspR8d wrote: | Yeah this happens pretty often, though I'm surprised it | continues with Font Awesome's organizational changes: The | "fab" prefix is specifically supposed to communicate that | it's an icon from the "Brands" style. (Non-brand icons use | "fas".) If you find yourself using a "fab" icon generically, | you might want to double-check what it's _supposed_ to | represent... | ehsankia wrote: | Honestly, a lot of times when I'm doing quick designs, I | just open the font page with all the images and just | visually pick any that looks best. Definitely needed some | sort of legal pass before release. | dstaley wrote: | Just in case anyone's curious what these reports look like, I've | uploaded the reports for curl, grep, and chromium here: | https://gracious-jang-bc0194.netlify.com/ | mkup wrote: | Wouldn't this analyzer upload entire source code to Microsoft as | telemetry? | | /s | thomasgt wrote: | I guess you could always analyze the analyzer to be sure... | bdcravens wrote: | Whatever source code that might add is pretty small compared to | what is already on Github, which Microsoft owns. | tumetab1 wrote: | > The application is a client .NET Core based tool so it will | run on Windows, Linux or macOS and does not require elevated | privileges and there is no local database or network | communications or telemetry. | [deleted] | neves wrote: | I'd love to see the generated output of famous programs like | grep, curl or chromium. It would give a better idea about what it | does. | dstaley wrote: | Here you go! https://gracious-jang-bc0194.netlify.com/ | guydalf wrote: | Just wanted to introduce myself as the lead developer on the | tool. Valid comments and questions have been dropped here and | I've responded to a couple of them already by posting | clarifications below and on the project wiki. Yes we are thinking | of using the tool for repos like NuGet and maybe Github as a | service that automatically identifies detected features for each | component. Stay tuned and keep the ideas coming. Happy to answer | any further questions. | Qahlel wrote: | as a non-dev, may I ask what this is? | guydalf wrote: | Over 93% of new software applications today use open source | from public repositories of source code or other third party | code and average over 100 components code that they didn't | directly write. Often they have only a partial understanding | of what is in them due to time constraints to release their | products. That's a big attack surface and knowing what is in | the code that developers choose to build their products with | is becoming urgent. This tool scans code and reports the | types of features found in it to help developers decide | whether it does more than they expected from a features | standpoint. See the project site and wiki for more | https://github.com/Microsoft/ApplicationInspector | resters wrote: | This has been sorely needed for a long time. Thank you for | building it! | proncton wrote: | My team has been desperately searching for something like this. | We actually started the effort to build our own, and were well | into the prototyping phase. You may see some contributions from | us in the future. | Mountain_Skies wrote: | Maybe someday it can also work with Azure Devops to produce | report artifacts as part of a build pipeline. | nathell wrote: | I pointed it at my Clojure project [1]. It correctly inferred [2] | that the project is doing multithreaded network connections, | which is nice, especially given that Clojure's a rather niche | language. | | It quite confidently pointed out an "App container" category, on | grounds of the repo containing a circleci/config.yml, which is... | technically correct, I guess, but less than useful. | | [1]: https://github.com/nathell/skyscraper/ [2]: | http://pliki.danieljanus.pl/appinspector-skyscraper/ ___________________________________________________________________ (page generated 2020-01-28 23:00 UTC)