Insecure (SHA-1) source code hashing algorithm (BA2004 error) on Visual Basic assembly targeting .NET FX

[sujitnayak]

Issue

Visual Studio ships an assembly that is written in Visual Basic and targets .NET FX 4.8. Visual Basic compiler automatically generates some classes when it builds this assembly. There is no source file that is generated for these generated classes.

These classes exist in the My namespace and include the following 3 classes:
My.MyApplication
My.MyProject
My.MyComputer

This binary is being built with the -checksumalgorith:SHA256 switch but when Binskim is run on such a binary, it fails with a BA2004 error.

This happens b/c the pdb for such a binary has the following entry for this generated code:

<file id="1" name="" language="VB"/>

So the source file name for id# 1 is empty as seen above.

Repro Steps

1. Create a Visual Basic Console project in Visual Studio 2022 targeting .NET FX 4.8
2. Build the project
3. Run binskim on the built target.

Expected:

Binskim should not fail on such a binary when all the source files are SHA256 hashed.

Actual:

Binskim fails with this error:

<path_to_binary>: warning BA2004: 'Module1.exe' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing.

[shaopeng-gh]

Thanks for filing the bug.

1. this happens for default VB template for legacy .NET framework, but not the default VB template for new .NET ( .NET core)
2. For legacy .NET framework, user can setting _MYTYPE to "Empty"
   https://learn.microsoft.com/en-us/dotnet/visual-basic/developing-apps/customizing-extending-my/customizing-which-objects-are-available-in-my

When _MYTYPE is set to "Custom", the project contains the My namespace, but it contains no objects. However, setting _MYTYPE to "Empty" prevents the compiler from adding the My namespace and its objects.

Tested works for VB projects that does not use MyType.
But it will not work for all of them, using a configuration is valid VB code.
3. BinSkim tool to triage filtering out these few My types.

[jaredpar]

For legacy .NET framework, user can setting _MYTYPE to "Empty"

That will work for the subset of VB customers that do not actually use My features. Overall though My is very much a part of the VB programming experience. I have little expectation that this will work for more than a small percentage of VB customers. This is akin to saying "don't use async in C# code".

warning BA2004: 'Module1.exe' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm.

This warning is simply incorrect. There is no SHA-1 hash being used here. The documents are written with no hash (because there is no document) and BinSkim incorrectly labels it as SHA-1.