feat(authenticode): ✨ Add VerifyAuthenticodePolicy API and harden W… #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…inTrust native handling * Add public helper `FileInspector.VerifyAuthenticodePolicy(string path)` which: * Returns true when WinVerifyTrust deems the file trusted, false when explicitly not trusted, and null when not applicable (no signature, unsupported platform, or on error). * Fix WinTrust interop allocation/cleanup: * Allocate `WINTRUST_FILE_INFO` to unmanaged memory via `pFile`, assign to `data.pFile`, and destroy/free in a `finally` block to prevent leaks. * Update project file to skip building `net472` on non-Windows agents by adding a conditional `PropertyGroup`, avoiding missing reference-assembly issues on CI.
… disguised-executable & tool indicators * Add deep container scanning controls and indicators (`DeepContainerScanEnabled`, `DeepContainerMaxEntries`, `DeepContainerMaxEntryBytes`, `KnownToolNameIndicators`, `KnownToolHashes`) to `Settings`. * Enhance ZIP inspection: * Detect OOXML encrypted packages (`EncryptionInfo`/`EncryptedPackage`) and general ZIP encrypted entries (central-directory flags). * Perform bounded deep reads of inner entries to detect disguised executables, installer hints and known tool names/hashes; surface neutral findings (e.g., `tool:<name>`, `toolhash:<name>`). * Expose `ZipCentralDirectoryHasEncryptedEntries` helper and mark `ArchiveHasEncryptedEntries` / `OoxmlEncrypted` / `ContainerHasDisguisedExecutables` flags on `FileAnalysis`. * Add a best-effort RAR quick inspect (`TryInspectRarQuick`) to detect RAR4 header-encryption. * Surface new assessment codes and heuristics: * Add assessment entries: `Archive.DisguisedExecutables`, `Archive.EncryptedEntries`, `Office.Encrypted`. * Map `tool:` findings into a `Tool.Indicator` score contributor. * Add strong-file signatures for `7z` and `rar` and wire them into `Detect(...)` so those formats are recognized during detection. * Add lightweight script/JS heuristics (`bat:certutil`, `js:activex`, `js:mshta`, `js:fromcharcode`) to `SecurityHeuristics`. Motivation: improve container triage by surfacing encrypted entries, disguised binaries and known tooling indicators while keeping the deep scan bounded and opt-in to preserve performance.
… and 7z; expose `EncryptedEntryCount` and add report/tests * Count encrypted entries in ZIP central directory (including AES extra field 0x9901) via new `ZipEncryptedEntryCount` and surface result through `TryInspectZip`. * Enhance central-directory scan (`ZipCentralDirectoryHasEncryptedEntries`) to inspect AES extra fields; return an integer count and set `FileAnalysis.EncryptedEntryCount` when > 0. * Add quick probes for archive formats: * RAR4 / RAR5 header checks for encrypted headers. * `TryDetect7zEncryptedHeaders` to detect `kEncodedHeader` (0x17) in 7z Next Header region. * Add CFBF / OLE directory parsing (`TryGetOleDirectoryNames`) to improve MSI detection confidence from OLE2 streams. * Introduce `ReportView` to provide a flattened presentation of `FileAnalysis` (includes `EncryptedEntryCount`) and export as dictionary. * Add unit tests `EncryptedArchiveDetectionTests` validating RAR4, RAR5 and 7z encrypted-header detection. * Adjust signatures and plumbing in `FileInspector.Analyze` / `TryInspectZip` to propagate encrypted-entry counts and detection flags.
…‑CFBF test, update README * Expose `SecurityFindings` on `ReportView`, populate from `FileAnalysis.SecurityFindings`, and include in `ToDictionary()`. * Add `MsiOleCfDetectionTests` to validate MSI detection in minimal OLE/CFBF structures. * Update `NuGet.README.md` to document `ReportView` keys (including `EncryptedEntryCount`) and example deep container scan settings. * Remove obsolete RAR4 encrypted-headers test from `EncryptedArchiveDetectionTests`.
…ysis` and `ReportView` * Add `InnerFindings` property to `FileAnalysis` to hold per-entry indicators collected during deep container scans. * Populate `FileAnalysis.InnerFindings` in `Analyze` by truncating findings to `Settings.DeepContainerMaxEntries`. * Expose `InnerFindings` via `ReportView.From` and include it in `ReportView.ToDictionary` for presentation/export. * Intended as a bounded, presentation-friendly set of per-entry indicators from deep archive inspection.
… renderer, and encrypted-entry accounting * Add `Legend`, `LegendEntry` and `AssessmentLegend` helpers to humanize analysis flags, heuristics and assessment codes. * Expose humanized fields on `ReportView` (`FlagsHumanShort/Long`, `SecurityFindingsHuman*`, `InnerFindingsHuman*`, `AssessmentCodesHuman*`) and populate them when building the view. * Add `MarkdownRenderer` to render a concise, dependency-free Markdown report from a `FileAnalysis`/`ReportView`. * Enhance container analysis: - Distinguish RAR4 vs RAR5 and perform best-effort RAR4 encrypted-entry counting (populate `EncryptedEntryCount`, `SecurityFindings`, and `InnerFindings` tokens). - Mark 7z header-encrypted findings and append `SecurityFindings` entries. - Preserve fallback quick checks on errors. * Add NuGet `.nuspec` detection inside ZIP inspection (`nupkg` detection). * Add EVTX signature support in signatures registry and add `TryMatchEvtx`. * Add `LegendTests` unit tests and update README sample to reference new humanized fields.
…ers, presentation helpers and detection tweaks * Populate Authenticode EKUs and timestamp CN (`AuthenticodeInfo.EnhancedKeyUsages`, `TimestampAuthorityCN`) and expose them in `ReportView`. * Render EKUs and Timestamp Authority in `MarkdownRenderer`. * Add best-effort archive helpers: `TryCount7zFilesQuick` and `TryCountRar4EncryptedFiles` (budgeted/naive parsing) and wire 7z file counts into `SecurityFindings`. * Add `ScriptLanguage` + `ScriptLanguageHuman`, `Kind`, `CompactFields` and `PresentationAdvice` to `ReportView` to help hosts present compact, sectioned summaries. * Add `ScriptLanguageLegend` and Node.js shebang detection (JS) to improve script language hints. * Add CRX magic signature and map `ftyp` isom/iso2/mp4 brands to `mp4`. * Extend `Legend` entries and humanization for archive/rar/7z findings. * Focus on lightweight, dependency-free, best-effort parsing and safe guards (byte budgets, guards, try/catch) to avoid brittle failures.
…, registry/ESE signatures, report fields and tests * Add `SecurityHeuristics.AssessTextGeneric` to detect IIS W3C logs, Event XML, Sysmon, LDIF, AAD/MDE JSON artifacts and privacy-safe secret categories (privkey/jwt/keypattern); integrate results into `FileInspector.Analyze` while merging with existing `SecurityFindings`. * Add lightweight signatures for Registry hive and ESE (JET) to fast-path `Detect` and file header detection. * Expose Windows Mark‑of‑the‑Web (Zone.Identifier) parsing and alternate data stream counting: * New `FileSecurity` properties: `AlternateStreamCount`, `MotwZoneId`, `MotwReferrerUrl`, `MotwHostUrl`. * Implemented `TryPopulateMotw` and `TryCountAlternateStreams` under appropriate TFMs. * Enrich `ReportView` with archive inventory, MOTW/ADS and secrets summary fields and wire them into the compact export and presentation advice (incl. `ShowScan`). * Add human-friendly legend entries for new heuristic codes (logs, AAD, MDE, secrets) and PDF encrypted flag mapping in `ReportView`. * Add unit tests (`HeuristicsNewTests`) validating detection of Event XML, LDIF, IIS W3C logs and secret patterns. * Minor formatting tweak for `EnhancedKeyUsages` join delimiter. These changes add broader neutral security heuristics, better Windows ADS/MOTW visibility, additional content signatures and presentation fields for hosts to consume.
… & legend improvements * Add permissive JWT fallback and `header.payload.signature` heuristic; ensure `secret:jwt` is surfaced in `SecurityFindings`. * Map secret scan results into neutral `SecurityFindings` (privkey/jwt/keypattern) so categories are visible alongside `SecretsSummary`. * Add name/type heuristics for high-signal artifacts: AD (`ntds.dit`/`.dit`), registry hives (`SAM/SYSTEM/SECURITY`), browser credential stores (Chromium/Firefox filenames), and PowerShell transcripts. * Detect GPO / SYSVOL artifacts during deep container scans and emit `gpo:backup` / `sysvol:policy` findings. * Harden `SecurityHeuristics`: * Implement more robust `LooksLikeJwt` and `LooksLikeJwtFallback` checks and increment `JwtLikeCount` accordingly. * Add extra key-material heuristics for `password=`, `pwd=` and `connectionString=` patterns. * Add KeePass KDBX signature (`TryMatchKeePassKdbx`) and wire detection into `Detect(...)`. * Fix EKU extraction to skip empty labels and avoid null entries. * Add new legend entries for added signals and tighten humanization helpers with null/empty guards.
…ission helpers
* Annotate `PopulateUnixMode` as `[UnsupportedOSPlatform("windows")]`.
* Annotate Windows-specific helpers (`PopulateWindowsAcl`, `TryPopulateMotw`, `TryCountAlternateStreams`) as `[SupportedOSPlatform("windows")]` and add `OperatingSystem.IsWindows()` runtime guards to avoid calling Windows APIs on non-Windows hosts.
* Add early-return checks in `ToOctal`/`ToSymbolic` for Windows.
* Minor project file updates: ensure documentation generation and warnings-as-errors entries are present in `FileInspectorX.csproj`.
…, friendly labels, Citrix cues and tests * Add lightweight crypto detectors: new `Signatures.Crypto.cs` for OpenPGP (binary & ASCII), DER X.509 and PKCS#12/PFX heuristics. * Extend text/markup detection (`Signatures.TextAndMarkup.cs`) to recognize PEM, OpenSSH keys and ASCII-armored PGP before YAML/front-matter to avoid collisions. * Add extra MIME defaults for common crypto files (`Detection/Maps.cs`). * Surface crypto detections from `FileInspector.Detect` (DER/PFX/PGP). * Add deep archive preview & signer sampling: * New `FileAnalysis` fields: `ArchivePreviewEntries`, `InnerExecutablesSampled`, `InnerSignedExecutables`, `InnerValidSignedExecutables`, `InnerPublisherCounts` and `InnerEntryPreview` type. * Zip/Tar inspectors return previews and signer counts; `Analyze` populates `FileAnalysis` with bounded, best-effort summaries. * Sampling is privacy-oriented (temporary extraction, immediate delete) and bounded by settings. * Humanization & presentation: * New `FriendlyNames` mapping for user-friendly labels (e.g., X.509, PFX, PGP). * `Legend` entries for Citrix cues and related human text. * `ReportView` extended to include friendly label, archive preview and inner-signer summary fields and exported dictionary entries. * Add neutral Citrix hints in `SecurityHeuristics` and lightweight `Analyze` text-subtype detection for `citrix-ica` / `citrix-receiver-config`. * Add unit tests `CryptoDetectionsTests.cs` covering PGP (binary & ASCII), PEM/CSR/key, DER cert, and PKCS#12 detection. * Minor compatibility/fix: runtime platform guards in `FileInspector.Permissions.cs` to avoid `OperatingSystem.IsWindows()` calls on older TFMs. This change improves detection coverage for crypto/config formats, adds useful archive preview/signature triage info, enhances presentation for consumers, and includes tests.
…egend entries and tests * Add `TextLogDetectionsTests` unit tests for common Windows text logs (DNS, Firewall, Netlogon, Event Viewer text export, DHCP, Exchange message tracking, SQL Server ERRORLOG, Windows Defender, NPS/RADIUS, SQL Server Agent). * Implement heuristics in `SecurityHeuristics` and `Signatures.TextAndMarkup.cs` to detect these formats and emit neutral codes/reasons (e.g. `log:dns`, `text:log-dns`, `text:log-firewall`, `text:log-netlogon`, `text:event-txt`, `text:log-dhcp`, `text:log-exchange`, `text:log-defender`, `text:log-sql-errorlog`, `text:log-nps`, `text:log-sqlagent`). Set appropriate confidence levels and boost combined timestamp/level detections. * Update `FriendlyNames` to return more descriptive labels for `log` detections (e.g. "Windows DNS Server log", "Windows Firewall log", "SQL Server ERRORLOG") and fix ordering for `yaml`/`eml`. * Extend `Legend` with entries for the new log codes so UI/legend rendering can show human-friendly names, categories and descriptions. * Tweak generic log-level detection to use `text:log-levels` and improve confidence logic when timestamps and level tokens appear together.
…er-signer sampling, heuristics, refs, WinTrust cache and tests * HTML/ref extraction * Add HTML reference extractor (href/src/data/action/css url) in `FileInspector.References` and emit URL/FilePath `Reference` entries (CDN and host summaries). * Set `ContentFlags.HtmlHasExternalLinks` when disallowed external hosts are present and add `HtmlLinks` presentation code. * Add unit test `TextDetectionsTests.Html_External_Links_Parsed`. * Certificates * Introduce `CertificateInfo` on `FileAnalysis` for standalone certs (.cer/.crt/.der/.pem) and parse basic metadata, chain/trust and SAN presence. * Add PKCS#7 bundle parsing (`.p7b`/`.spc`) via `TryParseP7b` and expose `CertificateBundleCount`/`CertificateBundleSubjects`. * Surface certificate fields in `ReportView`. * Inner-archive signer sampling * Implement best-effort signer sampling for RAR4 and deep sampling for TAR/zip entries (bounded by settings) to populate `InnerExecutablesSampled`, `InnerSignedExecutables`, `InnerValidSignedExecutables` and `InnerPublisherCounts`. * Propagate sampling via `_lastContainerInnerSample` so callers receive aggregated results. * WinTrust caching * Add local caching and pruning for WinVerifyTrust results with TTL and max-entries; expose `WinTrustCacheTtlMinutes` and `WinTrustCacheMaxEntries` in `Settings`. * Opportunistic prune when cache grows beyond limit. * Heuristics and signatures * Improve text/markup heuristics: stronger PowerShell, VBScript, shell and batch cues; add JS heuristics and broaden script name detection. * Add OLE legacy VBA macro detection for `.doc`/`.xls`/`.ppt` and set `OleHasVbaMacros` flag. * Security & networking heuristics * Enhance `SecurityHeuristics` to extract UNC shares and HTTP hosts, emit `net:unc`, `net:map`, `net:hosts` markers. * Optional network enrichment: DNS resolution and ICMP ping (configurable via `Settings`) to annotate findings. * Flags, assessment & settings * Add `HtmlHasExternalLinks` and `OleHasVbaMacros` flags. * Map `Html.ExternalLinks` into assessment scoring. * Add various settings: `CheckNetworkPathsInReferences`, HTML allowed domains, host resolve/ping controls and timeouts. * Misc * Add utility helpers (`TryLoadCertificateFromFile`, `Latin1String`, `CountOoxmlExternalTargets`, `TrySampleRar4InnerSigners`, etc.) and minor ReportView presentation improvements. Motivation: provide richer, fidelity-preserving analysis for HTML/network references, certificates and archive signer signals while keeping deep scans bounded and optionally network-aware via settings.
…o `1.0.0` * Add packaging and publish helpers: * `Build/Build-Package.ps1` - invoke release build with code signing * `Build/Publish-PackageGitHub.ps1` - publish GitHub release asset * `Build/Publish-PackageNuget.ps1` - publish NuGet package * `Build/Update-Version.ps1` - helper to inspect and set project versions * Prepare project for 1.0.0 release: * Bump `VersionPrefix` to `1.0.0` in `FileInspectorX/FileInspectorX.csproj` and `FileInspectorX.PowerShell/FileInspectorX.PowerShell.csproj` * Update module `ModuleVersion` to `1.0.0` in `Module/Build/Build-Module.ps1` and `Module/FileInspectorX.psd1` * Motivation: streamline packaging/publishing and mark the stable `1.0.0` release.
…chment and host allowlist split * Add best-effort `TryScan7zExecutablesFromHeader` to scan 7z "Next Header" UTF-16LE strings for `.exe`/`.dll` names and surface counts/previews when `DeepContainerScanEnabled`. * Populate `ArchivePreviewEntries` and set `ContentFlags.ContainerContainsExecutables` and `7z:names-exe` security finding when names found. * Add `TryGetMsiVersion` P/Invoke (`MsiGetFileVersionW`) and use it during analysis to enrich `VersionInfo["ProductVersion"]` for `.msi` when `IncludeInstaller`. * Extend MSI extraction (`TryPopulateMsiProperties` / `TryPopulateMsiSummary`) to capture additional MSI properties: `ProductVersion`, `UpgradeCode`, `ALLUSERS` -> `Scope`, ARP URL/contact fields, and SummaryInformation `RevisionNumber` -> `PackageCode`. * Expand `InstallerInfo`, `InstallerView`, and `ReportView` to include new MSI fields (UpgradeCode, Scope, PackageCode, UrlInfoAbout, UrlUpdateInfo, HelpLink, SupportUrl, Contact) and expose installer summary in reports. * Enhance `SecurityHeuristics` to split discovered hosts into internal vs external using `Settings.HtmlAllowedDomains` (adds `net:hosts-int` / `net:hosts-ext`) and introduce `IsAllowedHost` helper. * Update `Settings` docs to note `HtmlAllowedDomains` is also used by text/script heuristics. Small defensive guards and try/catch usage added to keep changes low-risk and cross-platform safe.
* Introduces `.github/workflows/ci.yml` to centralize CI using EvotecIT reusable workflows. * Adds cross-platform .NET test jobs (`dotnet-windows`, `dotnet-ubuntu`, `dotnet-macos`) and a Windows Pester job (`pester-windows`) for PS 5.1/7. * Enables coverage collection, test summarization, artifact upload and sticky PR failure summaries; builds use `FileInspectorX.sln`. * Adds path ignores for docs/images and includes a PR-only `claude-review` job for automated code review.
* Remove `frameworks: '["net8.0"]'` from `dotnet-windows`, `dotnet-ubuntu`, and `dotnet-macos` to avoid redundancy with `dotnet_versions` and the reusable workflow defaults. * Prevent possible conflicts when running multiple TFMs by centralizing target configuration. * Tidy up trailing blank line at EOF.
…rkflows to `master` * Update reusable workflow references from `@main` to `@master` for .NET, Pester and Claude review jobs. * Disable per-job sticky PR comments (set `post_summary_issue: false`) to prevent multiple failing-test comments. * Remove per-job `dotnet_versions` entries. * Add a new `summary` job in `ci.yml` that: * downloads TRX and Pester artifacts, * aggregates failing tests into a single Markdown summary (writes to `GITHUB_STEP_SUMMARY` and outputs `hasfailures`), * posts or updates one sticky PR comment (marker: `evotec-ci-aggregate-summary`) via `actions/github-script`. * Purpose: reduce PR noise by centralizing failing-test reporting into one consolidated comment.
…act downloads * Remove `if-no-artifact-found: ignore` from TRX and Pester `actions/download-artifact@v4` steps. * Align with v4 behavior (input deprecated/unsupported) and avoid warnings/errors from invalid inputs. * Simplifies workflow and relies on the action's native handling of missing artifacts.
…sable workflows and align inputs * Replace `unified-ci.yml` usages with `ci-dotnet.yml` for .NET jobs and `ci-powershell.yml` for the PowerShell job. * Update job inputs to use `os`, `summarize_failures`, and `enable_codecov` (remove deprecated/unused flags). * Add `module_manifest`, `rebuild_psd1`, and `dotnet_version` where appropriate for PowerShell job. * Add explicit `permissions` to the `summary` job and make the consolidated PR comment step run for all PRs (not only when failures exist). * Motivation: simplify configuration by using purpose-built reusable workflows, enable code coverage upload, and centralize PR test summaries.
… export scanning and MSI refinements * Add inner-publisher breakdowns (total/valid/self-signed) from inner executable sampling and surface them on `FileAnalysis` and `ReportView`. * Implement PE export enumeration (`PeReader.TryListExportNames`) and emit security findings like `pe:exports`, `pe:top` and `pe:regsvr`; add human-friendly legend entries for these codes. * Add lightweight managed TFM detection (`TryDetectTargetFramework`) and surface as `VersionInfo["TargetFramework"]` for managed PE. * Emit additional signature/installer codes (`Sig.WinTrustInvalid`, `Sig.NoTimestamp`, `Msi.PerUser`, `Msi.UrlsPresent`, `PE.RegSvrExport`) used by assessment scoring. * Promote generic OLE2 detections to `msi` when MSI metadata discovered; increase OLE2 directory sector bounds to improve MSI detection robustness. * Add best-effort service indicator (`pe:servicemain`) and DLL export-based COM registration detection to augment `SecurityFindings`. * Expose `PeInfo` export fields (`ExportRva`, `ExportSize`) and wire through `PeReader` reading logic. * Flatten MSI custom action counters into `ReportView` for templating and reporting.
CI Failing Tests Summary — 4 failed, 78 passed, 0 skipped (82 total).NETresults-all
PowerShell (Pester)
Artifacts |
…ged PE files * Parse the CLR header (IMAGE_COR20_HEADER) in the PE reader and check the `COMIMAGE_FLAGS_STRONGNAMESIGNED` (0x00000008) flag; populate `PeInfo.DotNetStrongNameSigned`. * Surface the signal in analysis/reporting by adding `DotNetStrongNameSigned` to `FileAnalysis`/`ReportView`, mapping the value during view construction and including it in the exported key/value map. * Non-fatal CLR parsing errors are ignored to avoid breaking PE triage on malformed images.
…arsing * Add/download of `counts-*` summaries and expose job results to the aggregator via env vars. * Improve TRX parsing to count Passed/Failed/Skipped and accumulate per-matrix totals. * Make Pester (NUnit) parsing more robust: normalize results, count passed/failed/skipped, and include group titles. * Surface job-level statuses (failure/cancelled) as a CI Status section in the report. * Aggregate per-matrix totals from `*.json` counts into a Markdown table when available. * Tidy up output handling (use `let md` in JS) and append an artifacts link to the posted PR comment.
…r.yml` job * Replace multiple per-OS `ci-dotnet.yml` and `ci-powershell.yml` jobs and the separate `claude-review` and `summary` jobs with a single `ci` job using `EvotecIT/github-actions/.github/workflows/ci-orchestrator.yml@master`. * Provide combined inputs (e.g. `os_dotnet`, `ps_versions`, `module_manifest`, `test_script`, `run_pester`, `enable_codecov`, `claude_review`, `post_pr_comment`) so the orchestrator handles matrix runs, Pester, Claude review and reporting. * Remove custom failing-tests aggregation and per-OS job duplication; simplifies workflow maintenance and centralizes CI behavior. * Shorten workflow name to `FileInspectorX CI`.
* Rename `run_pester` -> `ps_run` * Rename `module_manifest` -> `ps_module_manifest` * Rename `test_script` -> `ps_test_script` * Rename `tests_path` -> `ps_tests_path` * Rename `empty_tests_behavior` -> `ps_empty_tests_behavior` * Aligns CI workflow inputs with the reusable `ci-dotnet`/`ci-powershell` orchestrator schema; no functional behavior changes
* Update CI workflow input to enforce failing on empty PowerShell tests. * Ensures missing tests cause CI failure instead of emitting a warning, preventing silent test gaps. * File changed: `.github/workflows/ci.yml`
…ummary to `ReportView` * Introduce presentation fields: `InnerBinariesSummary`, `HtmlExternalLinksSample`, `HtmlUncSample`, `ScriptUrlsSample`, `ScriptUncSample`, `HtmlExternalLinksFull`, `HtmlUncFull`, `ScriptUrlsFull`, `ScriptUncFull`, and `ScriptCmdlets`. * Build a compact one-line `InnerBinariesSummary` from inner executable counts (sampled/signed/valid) and top publisher when available. * Extract top-N HTML and script references (URLs and UNC paths), truncating long items; optionally emit full newline-separated lists when `Settings.ReferenceFullListsEnabled` (with max char cap). * Title-case and limit displayed script cmdlets; defensive try/catch to avoid breaking parsing. * Wire new fields into `ToDictionary()` so templates/log sinks receive the added samples and summary.
…ning, and .NET strong-name signals * Add `ScriptCmdlets` to `FileAnalysis` and populate it from `SecurityHeuristics.GetCmdlets` during analysis for presentation. * Implement `GetCmdlets(path, budget)` to best-effort detect common PowerShell cmdlets/verbs from file head. * Add `TryExtractScriptReferences` to extract absolute HTTP(S) URLs and UNC share roots from common script extensions and wire it into reference extraction. * Surface `.NET` strong-name status from PE parsing into `FileAnalysis.DotNetStrongNameSigned` and incorporate into scoring: * emit `DotNet.StrongName` with a small negative weight when signed, or `DotNet.NoStrongName` when not. * Add `Settings.ReferenceFullListsEnabled` and `Settings.ReferenceFullListsMaxChars` to control exporting full lists of discovered references. * Add friendly labels for `nupkg` and `xap` container types. * Minor robustness/layout fixes: null-safe checks around detection extension handling and small `ReportView` string-splitting/join improvements for script cmdlet presentation. * Maintain defensive failure modes (catch-all) for the new heuristics to avoid analysis crashes.
…ps1` mismatches * If the file name declares `.msi` and `IncludeInstaller` is enabled, promote detection to `msi` (set `Extension`, `MimeType`, `Confidence`, `Reason`) and attempt to read MSI properties via `TryPopulateMsiProperties`. * Add heuristics in `CompareDeclared` to treat `txt` ↔ `ps1` as equivalent and to accept low-confidence `ps1` detections when the declared extension is `txt` to avoid false-positive mismatches for changelogs/readmes. * Changes are defensive (wrapped in try/catch) and aim to improve detection/enrichment and reduce noisy mismatch reports.
* Update `.github/workflows/ci.yml` to change PowerShell empty-test handling from `fail` to `skip`. * Prevent CI from failing on PRs/repos with no PowerShell tests, reducing noisy failures while preserving other CI behavior.
…cutableExtCounts`) * Add `InnerExecutableExtCounts` (IReadOnlyDictionary<string,int>?) to `FileAnalysis` and `ReportView`. * Extend `TryInspectZip` to return `innerExecExtCounts` and populate it from container extension tallies (exe, dll, msi, sys, com, scr, cpl). * Wire values into `FileInspector.Analyze` result and surface them in `ReportView` (including export map) when non-empty. * Non-breaking: counts are optional and only set when detected.
…ectorX.Tests.ps1` * Insert a blank line after the required-modules loop to separate dependency-install logic from the subsequent `Write-Color` summary output. * Purely formatting — no functional changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…inTrust native handling
FileInspector.VerifyAuthenticodePolicy(string path)which:WINTRUST_FILE_INFOto unmanaged memory viapFile, assign todata.pFile, and destroy/free in afinallyblock to prevent leaks.net472on non-Windows agents by adding a conditionalPropertyGroup, avoiding missing reference-assembly issues on CI.