Issue

Visual Studio ships an assembly that is written in Visual Basic and targets .NET FX 4.8. Visual Basic compiler automatically generates some classes when it builds this assembly. There is no source file that is generated for these generated classes.

These classes exist in the My namespace and include the following 3 classes:
My.MyApplication
My.MyProject
My.MyComputer

This binary is being built with the -checksumalgorith:SHA256 switch but when Binskim is run on such a binary, it fails with a BA2004 error.

This happens b/c the pdb for such a binary has the following entry for this generated code:

<file id="1" name="" language="VB"/>

So the source file name for id# 1 is empty as seen above.

Repro Steps

1. Create a Visual Basic Console project in Visual Studio 2022 targeting .NET FX 4.8
2. Build the project
3. Run binskim on the built target.

Expected:

Binskim should not fail on such a binary when all the source files are SHA256 hashed.

Actual:

Binskim fails with this error:

<path_to_binary>: warning BA2004: 'Module1.exe' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing.