-
Notifications
You must be signed in to change notification settings - Fork 356
4. Understanding Results
Application Inspector is designed to help surface coding characteristics through identification of well-known API functions, library names or similar. The default rule set has proven to be effective in detecting a broad set of common characteristics. Patterns for discovery include a great number of common characteristics built into the default rule set (over 450) e.g. ability to detect file IO, ACL use and other OS level functions, use of cryptography etc.
It is important to recognize that just because a feature is reported as not present in a code base which is scanned using Microsoft Application Inspector does not mean it doesn't exist in some form. The set of programming languages, language updates, programming frameworks and use of indirect methods of achieving a behavior make it impossible to identify all forms of a given features that may exists. Thus, we make no claim to have the ability to detect all features of interest nor all variations in forms in which a given feature may exist.
The tool aims to help identification of features through automation but is not a substitute for a thorough security code review that may be more definitive for high-risk products. Reliance on the tool is a choice and the ability to clone and improve the rules detection and reliability for your teams use is always an option. We invite contributions back or ideas of what should be added.
Obfuscation of features by developers wanting to hide their operations is a possibility but at some point a recognizable OS for well-known function call must be made and at a minimum that can be detected in most circumstances. The tool also detects use of encoding that may indicate hidden operations.
We accept contributions from the community can help improve the value of the implementation for others. We continue to add additional rules added to broaden the detection capabilities and we continuously strive to improve the accuracy and low false positive rate by adding more specificity where needed or additional sub-patterns called "Conditions" that help verify or negate a pattern match. We welcome contributions or suggestions. For defining your own additional rules see this wiki under Rules for more.
To obtain only the tags and not detailed match results you can use the —tags-only
argument.
Application Inspector will skip processing any file that falls within the named set of exclusions which include file paths with the names "sample", "test", ".git", ".vs", or "docs" to keep the false positive rate as low as possible and report only actual core features of the component being scanned by default. If you really need files included that would normally be excluded there is a command argument to do so i.e. -k or -include-sample-paths. See the readme.md on the home page of the project for more.
The default output format for the Analyze command is html which is only supported for this command as the core feature for the application and easy viewing options. It comes with support for viewing the detailed matches in source code and other convenient features but is not currently transportable as it relies on local resource files for UI.
Understanding the choice and meaning of icons - We use public free downloaded icons from fontawesome.com to help visually indicate a type of feature. In some cases they may also represent a particular and well known company but they are not intended to be solely representative of a given entity i.e. social media may be represented by a Facebook icon but could easily be represented by Twitter or another. No internet connectivity is needed.
The output includes aggregated meta-data fields followed by a Match Details section or array of objects to provide source line level details of matches. It is auto generated for the HTML format and available from the Summary page on the top left or may be expressly requested as the only desired format output type.
Content is line oriented not CSV and nearly identical to the JSON report except for structure
For a detailed description of each property available in the results see Analyze Result Properties
The HTML format is only supported for the Analyze command. JSON and Text formats are supported for all commands with output directed to either the console or a specified output file argument.
The result may be a list of tag differences between two scan sources e.g. two versions of the same project to help spot significant feature changes between the two as opposed to just bug fixes. Using this feature you might detect the introduction of outbound network communications or ACL modifications not previously used for instance.
The result may be a list of tags that tested positive or negative against the specified rule set. This can be helpful for minimizing testing to a smaller set of specific tags that you are monitoring for or that should always exists.
The result may be a list of rules that tested positive or negative for verification against the specified rule set
The result may be an output file (console only not supported) with a list of the packed rules.