This looks like something that would be nice to have integrated in nuget.org, showing the report output for every package/version (and maybe highlighting deltas across versions).

If you're running this across your own project output, especially for a big code base, it's definitely not going to be as useful as across each dependency. For example your app having "analytics services" and "outbound http connections" might be totally normal, but if a library you're using for encryption adds those, that would be a concern.

In regards to the first line of your comment, check out https://www.fuget.org. It does exactly that.

Sorry, where's the app inspector output in this?

https://www.fuget.org/packages/System.Net.Http for example doesn't show me all of that.

This is a great idea - would love to have this info integrated into nuget.

Most likely people aren't going bother to run this on dependencies themselves (not to mention every version update), so having the info surfaced at the point of decision would be very useful and reach a ton more folks.

Hey folks, I'm on the NuGet team and I noticed this thread this morning. This is the first I've heard of Application Inspector (Microsoft is a big place!) but the tool looks awesome and the output is easy to understand for a variety of experience levels. The idea of integrating with NuGet sounds very promising! Caveats need to be investigated, i.e. my guess is the report is not exhaustive since code could perhaps call scary APIs in esoteric ways but perhaps there is value even if it covers just MOST of the cases.

I've tracked a feature request on GitHub here attempting to represent what was suggested here:

https://github.com/NuGet/NuGetGallery/issues/7824

Add additional comments if you have thoughts on how it should work or anything else. Our backlog is pretty full right now but we'll update this GitHub issue if there is movement.

In addition / instead of showing the results in the web UI, it would be valuable to make Nuget enforce user selected criteria. When referencing a package I would like to annotate that reference with some criteria that are currently met (e.g. the referenced package makes no network calls) and then later for a package upgrade Nuget would automatically check if these criteria are still met, or fail the upgrade.

This sounds like a request for the NuGet client experience and less for browsing nuget.org. My expertise is more on the nuget.org side and less on the client side (like .NET CLI or Visual Studio). Could you file an issue for the NuGet client suggestion here?

https://github.com/NuGet/Home/issues/new

If you have some ideas in the space of how specifically it could work, maybe mention where/how (e.g. what file) you'd like to declare these "rules".

Just wanted to introduce myself as the lead developer on the tool. Valid comments and questions have been dropped here and I've responded to a couple of them already by posting clarifications below and on the project wiki. Yes we are thinking of using the tool for repos like NuGet and maybe Github as a service that automatically identifies detected features for each component. Stay tuned and keep the ideas coming. Happy to answer any further questions.

I ran this against a file sharing application I am working on and the results were strange. Security features were supremely emphasized, even security concepts I didn’t realize I was focusing energy on. I am not saying the tool is wrong, but just that it picked security better than I had intentionally considered. No other features were highlighted though, so you still have no idea what the application is doing.

https://github.com/prettydiff/share-file-systems

My team has been desperately searching for something like this. We actually started the effort to build our own, and were well into the prototyping phase. You may see some contributions from us in the future.

smile

Maybe someday it can also work with Azure Devops to produce report artifacts as part of a build pipeline.

we like -keep the ideas coming!

as a non-dev, may I ask what this is?

Over 93% of new software applications today use open source from public repositories of source code or other third party code and average over 100 components code that they didn't directly write. Often they have only a partial understanding of what is in them due to time constraints to release their products. That's a big attack surface and knowing what is in the code that developers choose to build their products with is becoming urgent. This tool scans code and reports the types of features found in it to help developers decide whether it does more than they expected from a features standpoint. See the project site and wiki for more https://github.com/Microsoft/ApplicationInspector

This has been sorely needed for a long time. Thank you for building it!

Weird, that first screenshot [0] contains Audible's logo [1] which is an Amazon company (far right icon in the first row of icons).

It looks like they are repurposing Audible's logo to mean "Dynamic Command Execution" [2]

[0] https://user-images.githubusercontent.com/47648296/72893326-...

[1] https://m.media-amazon.com/images/G/01/audibleweb/arya/navig...

[2] https://user-images.githubusercontent.com/47648296/71859554-...

Heh, the icon is named "audible":

    "displayName": "Dynamic command execution",
    "detectedIcon": "fab fa-audible"

It's probably unintentionally used by an engineer unfamiliar with the product as audible is more common as a descriptive word than as a brand.

https://github.com/microsoft/ApplicationInspector/blob/08c91...

Yeah this happens pretty often, though I'm surprised it continues with Font Awesome's organizational changes: The "fab" prefix is specifically supposed to communicate that it's an icon from the "Brands" style. (Non-brand icons use "fas".) If you find yourself using a "fab" icon generically, you might want to double-check what it's supposed to represent...

Honestly, a lot of times when I'm doing quick designs, I just open the font page with all the images and just visually pick any that looks best. Definitely needed some sort of legal pass before release.

I spy logos for GitHub, Wordpress, Adobe, Linux, and Facebook as well. Not sure what they represent though. I would imagine that most of them make sense (Linux is an OS, Facebook is a cloud service, GitHub is a development tool, etc). The only one I'm curious about is Adobe. "Active Content" meaning Flash?

EDIT: Thanks to xroot's comment above, it is indeed Adobe Flash.

There's also the Adobe Acrobat icon (second to last in "Active Content"), probably to signify PDF.

I pointed it at my Clojure project [1]. It correctly inferred [2] that the project is doing multithreaded network connections, which is nice, especially given that Clojure's a rather niche language.

It quite confidently pointed out an "App container" category, on grounds of the repo containing a circleci/config.yml, which is... technically correct, I guess, but less than useful.

[1]: https://github.com/nathell/skyscraper/ [2]: http://pliki.danieljanus.pl/appinspector-skyscraper/

Just in case anyone's curious what these reports look like, I've uploaded the reports for curl, grep, and chromium here: https://gracious-jang-bc0194.netlify.com/

I think an important warning should be, that it can maybe to some extent tell "what's [for sure] in it", but I suspect it definitely shouldn't be used to verify "what's NOT in it", as in any kind of "security verification". Meaning, if you want to hide some code/malware snippet from it on purpose, I assume you'll definitely find a way to do that. And even if not on purpose, it may still happen accidentally.

> The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and more and includes html, json and text output formats with the default being an html report similar to the one shown here.

Is Rudy meant to be Ruby?

Yes - its a typo. There is a pull request for it already.

https://github.com/Microsoft/ApplicationInspector/pulls

I don't see any mention of the languages that it recognizes, but a perusal of some of the JSON files leads me to believe that this handles many different languages. It seems that it's by way of regular expressions, though, not language-specific parsing.

This info is in the front page:

The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and more and includes html, json and text output formats with the default being an html report

Ah. The old classic Rudy.

And ... "A message to you, Rudy!" - that be my favourite ska song from the Specials :)

What about Rudt and Godlang?

Not sure how I missed that. The wiki page it links to has a nice list, which is apparently related to Visual Studio Code.

The README has been updated since your comment to include:

> The tool supports scanning various programming languages including C, C++, C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and more

Does it support HTML? Can one parse HTML with regex?

It doesn't appear to be parsing at all. It's just looking for patterns.

If you look at languages.json in RulesEngine/Resources, files with the extension .html (and some others) are recognized as "html", with type "code":

  {
    "name": "html",
    "extensions": [ ".html", ".htm", ".cshtml", ".tmpl" ],
    "type": "code"
  },

This sets the scope for the patterns in AppInspector/rules/default; e.g.,

  {
    "name": "Content Management Framework: Wordpress",
    "id": "AI021200",
    "description": "Development Framework: Wordpress",
    "applies_to": [ "javascript", "html" ],
    "tags": [ "Framework.CMS.Wordpress" ],
    "severity": "moderate",
    "patterns": [
      {
        "pattern": "wordpress",
        "type": "string",
        "scopes": [ "code", "comment" ],
        "modifiers": [ "i" ],
        "confidence": "high"
      }
    ]
  },

This seems like it would be prone to a lot of false positives, but I haven't tried the tool.

Boy, are you in for a fun StackExchange read: https://stackoverflow.com/a/1732454 .

You can't parse it properly with a Regular Expression, but you can parse it with regex-like systems. However I doubt it is parsing outright - it only has to look for certain keywords and patterns that indicate certain behaviors.

Correct. We don't need to parse it per se just look for use of features that are easy to identify like XmlHttpRequest, Json.Parse use etc.

I wonder if they could marry this with ILSpy [1]. Basically point it at a compiled program, de-compile it, then analyze the decompiled code to see what it's doing. Might be useful in malware analysis and other areas.

[1]: https://github.com/icsharpcode/ILSpy

I'm simultaneously amused and saddened that even apps released by Microsoft('s github organization) don't support white-space in paths.

It's a big company! Even people are not that consistent! For one, I'm seeing that the "mono" culture (not sure if pun intended, or not) is going away from there!

I'd love to see the generated output of famous programs like grep, curl or chromium. It would give a better idea about what it does.

Here you go! https://gracious-jang-bc0194.netlify.com/

Excellent! Really nice app. Now I understand it a lot better.

See https://github.com/microsoft/ApplicationInspector/wiki/6.-Un... that answers questions on choice of icons and https://github.com/microsoft/ApplicationInspector/wiki/2.1-F... that talks about language support.

I could see this as handy when I'm trying to troubleshoot an opaque/proprietary/legacy application. Things like knowing it's talking to environment variables or the registry would be a lot of help drilling down into what it's touching so I know where to look for what's breaking it.

Good point. At a minimum it should clearly state that while the tool didn't "find" such a feature it should not be taken as a security reliable result. See https://github.com/microsoft/ApplicationInspector/wiki/6.-Un...

Sounds like builtwith.com for codebases. I wonder if one can run it against all company repos and generate an accurate stackshare.io alternative.

Unusable on osx. It fires off 20+ notarization errors on run.

Mac Catalina restrictions appear to be the issue which where app launch checks were relaxed for a bit then made more aggressive very recently. We added an issue on the app project site to look into whether the app or just .net core or both need a macOS notice fix but there's a work around discussed here https://www.cultofmac.com/672576/cant-launch-your-apps-on-ma...

Affects .Net Core 2.1, 3.0, 3.1 -not app specific but workaround exists as mentioned and is tracked here https://github.com/microsoft/ApplicationInspector/issues/123

Yep. Oddly, if you click Cancel on every dialog, it does successfully run. But that's a complete dealbreaker.

Webex's godawful browser plugin has the same issue.

I ended up having to put in 50 exceptions one by one over the course of half an hour. Just about the worst.

What have Ms application Inspector to tell about Ms application Inspector ?

One thing I'm not a fan of C# is how often library usually lack bundled code source, while other similar language(eg. Java), you can use "Go to to Definition" on pretty much any third-party library/anything without hassle.

This is changing (slowly) for .NET. Nuget packages support something called Source Link [1] and can embed URLs to Github/Bitbucket/Etc.

IDEs like Visual Studio and Rider can download the code on demand and debug step-through.

Tons of popular .NET libs (including the Microsoft ones) already support this.

[1] https://docs.microsoft.com/en-us/dotnet/standard/library-gui...

.NET decompilers are really good these days. It's usually easier than finding the source code, and definitely easier than finding documentation that explains how things are supposed to, let alone actually, work.